BRUH

stole my first comment lmao

Yes

ok

sussy very sussy indeed bruh (y)

Why do you run a desktop environment on your web facing server? Why do you also allow users to login to that server? These are 2 requirements of your server in order to do this exploit. There is a reason it wasn't patched 10 years ago when it was found.

@@gg-gn3re They're just reacting to the first bit, not the whole video.

@@gg-gn3re It's not that. It's the mentality you gain from it.

Calm down bro, before you can escalate privileges you need to gain access to the system. If your server has minimal security measurements (no public ssh availability, key authentication), you should‘t be worried about this

@@leroyjenkins1911 if you're saying this i suspect you didn't quite see log4j "recent" exploit right? i'll just imagine that you didn't.

your lucky to have a roommate to discuss that stuff with lol. My friends rudely cut me off

@@kevinalexander4959 i dont think those are friends bro

FYI, we were roomates in college and we are working in the same city so we live together as roomates again. We are from Bangalore - India.

@@aditya.ishan27 so you're both black, you have nothing to be ashamed of

@@Angel-Pizzaeater Really? You just HAD to bring RACE into a positive comment...

Simplest things would be to give all users root-access, then they would not try todo this. I will wait for my Nobel Prize.

Wouldn't it be easier to just throw an OutOfBounds exception if encountered 'null' while reassigning path in pkexec.c

@@AndrewTSq If everyone is a root user, then no one is a root user. Simple!

@@raz0229 1. C doesn't have exceptions 2. the value was not null at the time 3. argc must be used to check bounds, and that is the correct solution here

i have a simpler fix: just destroy your pc and boom they cant hack it anymore

Yeah, it's not exactly like Hollywood :)

... or sticking to "arbitrary" rules that have been developed over the years... That code should have been fixed, even is there was no exploit. Always assume the attacker is smarter than you; just because *you* can't see an exploit, doesn't mean there isn't one... This is a constant challenge with management types who only react to "big" exploits because they can't "see" the threat...

Eh not really,

@@edwardcullen1739: What are you referring to?

@@jeschinstad The code violates many rules of defensive programming. The fact that there was a potential out-of-bounds write should have been fixed, regardless of whether it was "exploitable", because you "never know" - as proven by this video.

argv[0] does always exist if argv is defined, but the C language standard has always said that it can be null (when argc is zero), as far as I can tell. So they could have just read the standard document. :)

This seems like the type of thing though that the exploit was known for a while but only got executed years later

​@@X_Baron do you think Red Hat (creator of this crap along other amazing turds like systemd) care about standards lol

is it even normal practice? how common is writing your own cli parser? I imagine there has to be some standard and safe way or a lib to do it

As far as I can understand, the false assumption is that argv[1] exists.

your parents?🤣

@@clivejameston7557 yeah? why is that funny to you, it just means there is parental controls.

is your father linus torvalds? heh

@@clivejameston7557 I don't get the joke

how did the deletion of leftpad help you gain root access?

I understand pointers, but I have no idea how C pointers work LMAO, the pointer star notation is still kinda confusing

@@Rudxain OS level coding is a completely different ball game lmao

@@Rudxain y = 0; int* x;

@@Rudxain int* x declares pointer variable x. The variable x now stores an adress. *x will get the value stored at the address in the variable x

@@drakey6617 Thank you for clearing my confusion, it seems more simple now

Write up? You mean video? This is hardly in written form.

@@Dyanosis Thank you, Captain Obvious. "Write Up" == "After Action Report" == "How The FUCK Did He Do THAT?" In future, please leave you petty semantic quibbles by the door. Thank you.

Thanks, I was also confused by this! The video was just describing a lot of steps to make that program do something ... that you could just do in your own program that would be trivial to write. The fact that program runs in a privileged context is a critical prerequisite of the exploit that I'm surprised the video didn't mention.

If you know what pkexec command is used for (it's basically a graphical equivalent of sudo), then this is pretty obvious.

@@0raj0 Well it took me a good few seconds of confused thinking to connect the dots, i vaguely knew but it still took me a bit. For sure it would have been better had he mentioned it somewhere, like half a sentence.

@@SianaGearz he did, at some point near the beginning of the video, he describes what pkexec does.

Tbh I originally thought it was a privileged system service situation and was thinking "ok so I can start this program under my permissions, but *how do I get it to be involved by the system*" but this clarifies that. Thanks!

I think it's good that he uploads lately. Quality over Quantity: If he would upload faster, the other aspects would suffer(thumbnail, UI, etc.)

LiveOverflow is also pretty great.

@@danielalorbi thanks, a minecraft developer :)) Btw HorseNuggets is minecraft developer too

@@anukranan The only thing I can find on that page that remotely pertains to what I said is the passage about the assignment operator yielding an expression, such that a = b = c is equivalent to a = (b = c). I use this for compact conditionals like `while ((ch = getchar()) != EOF)`. That still doesn't make it a good idea to stuff multiple assignment expressions into one line. You're writing code for humans, not for the compiler.

​@@anukranan Being able to understand other people's code is an important skill, but it's equally important to advocate for good style and clean code. Sure, I can read a poorly programmed algorithm and figure out "where the variables end up" afterwards. But the difference between clean code and messy code is that I can parse the clean code faster because it's formatted more cleanly and uses less state and side effects. The "git gud" argument only holds up for so long. Eventually, one will come across code written 10 years ago that is thoroughly terrible and full of bugs, and after you finish refactoring it and fixing the bugs, you'll utter to yourself "what idiot wrote this code?"... only to realize that "idiot" was you. There are things that are reasonable to expect programmers to understand, like bitwise operations and idioms like n%2 and *ptr++ = value. And then there's code that tries to be too compact or too clever, and that's where the problems start. Hard to read and hard to understand doesn't mean one is incapable of doing so. It means that it takes longer. And sure, taking a few extra seconds to understand some "clever" code doesn't seem immediately bad, but that time adds up quickly. Having multiple assignments on one line isn't the worst practice, but the reason I consider it bad is because in order to comprehend all of the variables being used in the expression, you have to read it left to right. Since the alternative is doing them one by one on their own lines, left to right is inferior, because it _could_ be written in a way that can be read/scanned much faster. That's my rationale. And you can see it in my code. Every variable used in a function (at function scope) is hoisted to the top and declared separately, and a blank line separates the var declarations from the next "chunk" of code. Sure it results sometimes in a declaration followed by something else followed by that variable being defined proper, but doing it my way results in a clean and rapidly comprehensible manifest of the function's entire state. Also sorry if it takes me a long time to reply. KZbin doesn't notify me about this thread until someone upvotes it. I got no notification for either of your replies.

Was it accidental, really? A good coder can make a minor 'mistake' and leave a huge whole. Some aren't accidents.

@@xakthos no way its an accident. govt bribes and threatens companies and people to install backdoors under threat of vanishing. putting something like that in a program is easily within their bag of tricks. you just wont find anything about it via google. its a search engine and they can omit results. govt just needs to threaten google to omit results, and companies like money and being in business, easy choice for them.

@@xakthos hole*

Yep. I love that feeling when you wonder if something will work and it does. I'm not a very good programmer so when ideas work, i am ecstatic.

LOOOOOOL

Windows moment

Linux is another operating system--an open-source equivalent of UNIX. UNIX is what Mac OS X is based on, but UNIX itself is much lower-down and barebones than OS X, for OS X, Apple just licensed UNIX and built a pretty window manager on top of it. Anyway Linux is similarly low-down and barebones--you can install pretty window managers on top of it (Android is built on top of Linux) but you don't need to, and for this reason and for its general stability it's very popular for web servers and systems which need to be on for a long time.

In English, he means it’s like Windows but made by a community of people and it has more options

@@User2o2 It's not by a different company, it was made and is managed by the open source community. Aka, it's owned by everyone. People on the internet out of the kindness of their hearts maintain it, and so many companies use it they pay to people to maintain it.

I love this comment

@@User2o2 i figured the guy was in high school, he should at least be able to understand 3/4 of what i was saying and he could google the rest.

This world is rapidly passing away and I hope that you repent and take time to change before all out disaster occurs! Belief in messiah alone is not enough to grant you salvation - Matthew 7:21-23, John 3:3, John 3:36 (ESV is the best translation for John 3:36) if you believed in Messiah you would be following His commands as best as you could. If you are not a follower of Messiah I would highly recommend becoming one. Call on the name of Jesus and pray for Him to intervene in your life - Revelation 3:20. Contemplate how the Roman Empire fulfilled the role of the beast from the sea in Revelation 13. Revelation 17 confirms that it is in fact Rome. From this we can conclude that A) Jesus is the Son of God and can predict the future or make it happen, B) The world leaders/nations/governments etc have been conspiring together for the last 3000+ years going back to Babylon and before, C) History as we know it is fake. You don't really need to speculate once you start a relationship with God. Can't get a response from God? Fasting can help increase your perception and prayer can help initiate events. God will ignore you if your prayer does not align with His purpose (James 4:3) or if you are approaching Him when "unclean" (Isaiah 1:15, Isaiah 59:2, Micah 3:4). Stop eating food sacrificed to idols (McDonald's, Wendy's etc) stop glorifying yourself on social media or making other images of yourself (Second Commandment), stop gossiping about other people, stop watching obscene content etc. Have a blessed day!

Yeah I don't understand why the conversion module ever gets invoked with privileges... That just seems like an obvious exploit angle.

Same I understand the basics and I could tell how everything is supposed to play but don't understand the functions of them 😅

This world is rapidly passing away and I hope that you repent and take time to change before all out disaster occurs! Belief in messiah alone is not enough to grant you salvation - Matthew 7:21-23, John 3:3, John 3:36 (ESV is the best translation for John 3:36) if you believed in Messiah you would be following His commands as best as you could. If you are not a follower of Messiah I would highly recommend becoming one. Call on the name of Jesus and pray for Him to intervene in your life - Revelation 3:20. Contemplate how the Roman Empire fulfilled the role of the beast from the sea in Revelation 13. Revelation 17 confirms that it is in fact Rome. From this we can conclude that A) Jesus is the Son of God and can predict the future or make it happen, B) The world leaders/nations/governments etc have been conspiring together for the last 3000+ years going back to Babylon and before, C) History as we know it is fake. You don't really need to speculate once you start a relationship with God. Can't get a response from God? Fasting can help increase your perception and prayer can help initiate events. God will ignore you if your prayer does not align with His purpose (James 4:3) or if you are approaching Him when "unclean" (Isaiah 1:15, Isaiah 59:2, Micah 3:4). Stop eating food sacrificed to idols (McDonald's, Wendy's etc) stop glorifying yourself on social media or making other images of yourself (Second Commandment), stop gossiping about other people, stop watching obscene content etc. Have a blessed day!

Agreed, but at least we had the opportunity to find it.

People are delusional. It is never a matter of if only a matter of when.

@@LuminousWhispers11 and what, and why, and how...

You're never 100% safe. But this still doesn't change the fact that Linux is STILL very safe. Nevertheless people use BSD's for better security

True, though Linux basically hand over more tools for you to secure your machine against exploits like this such as AppArmor/SELinux which can restrict programs what they can do with root privilege. Windows equivalence is Mandatory Integrity Control which is pretty crap in comparison especially on Windows 11 which breaks everything.

From man page on `execve`: "The argv array must be terminated by a NULL pointer." Implies it's the programmer's job to terminate it with a null.

@@PwnFunction yes I then realized we were talking about execve and not running the program "normally" I got confused because by talking about having NULL in argv[0] I was hearing that as setting the first argument to NULL, while we are not actually setting any argument at all

Lies again? Drink Carlsberg

@@NazriB 👍ok

Requiring programmers to pass the executable name again in the argument array is just as absurd as the day I learned that it is required

Polkit is also a fishy name ending up as a rootkit instead. Gotta wonder which agency needed that hole

@@buzifalus honestly thats exactly my thought. US govt had a backdoor of sorts into pretty much every system running RSA encryption years ago. pretty much the entire world was vulnerable to it except the CIA and a few tech collages, both of which had their own seeds rather then trusting the default. To be fair, virtually nobody understood the security well enough to feel safe making their own or trusting someone to do it. It just so happened that the US govt had the seed though so cracking anything using RSA encryption was trivial. They only got caught when they had RSA put out a "security improvement" which when the security community tested, compared to previous versions, you could crack passwords even faster. They called out RSA since this was impossible to miss and the president of RSA outed that govt had forced him and his company to share the seed as well as implement this 'improvement', they were also paid for it. After the govt lost that they began work on PRISM, that spy system the US govt was using that edward snowden outed. they were pushing it into more and more companies and had claims it was in a few major ones, those companies deny it, but what else can they do say 'yeah the govt forced us to put in a backdoor for them to access your data and we didnt tell you or fight it in court' they would lose customers instantly. So the idea that this could have been put in place on purpose is 100% possible and definitely something the govt would do. too many bad practices that all line up to allow a massive exploit. We can look forward to the new windows exploit. windows 11 with a 'security' chip on the motherboard, that windows 11 wont work without, and that whole 'windows 10 will be our last version ever, we will keep updating it' suddenly it looks like the govt stepped in and said 'we want everyone on our new backdoor version'.

@@jessiejanson1528 A lot of information about this has been scrubbed from the internet as well, including entire Wikipedia pages which had legitimate sources.

@@jessiejanson1528 This is a beautiful reason why buzzwords like e2e are misdirections. If you are communicating really really really sensitive information, Big Brother may still be able to watch them be it in whatsapp or opensignal. If youre a commoner like me then don't bother beyond basic encryption, as whatsapp frontend can scrape the data once it decrypts it anyways. You only need avoid random scammer-hackers from knowing about you.

Classic "clever code syndrome" where the programmer tries to do something clever, misses some edge case, makes the code a nightmare to maintain and introduces bugs to the system all in the name of saving insignificant amounts of runtime and memory... really makes you wonder how a package like that got shipped with major linux distros

as soon as I saw "argv[n] = path = s;" I had to wonder why on earth anybody would write to the arguments. As far as I'm aware, that's something nobody is supposed to do.

looks like the same guy that uses "goto"

@@gabrielpar3519 Goto bashing is so 1980! ;) Seriously - once compiled, there are gotos everywhere (JMP, JAL, JZ, JNZ,...). If used in the right scenario it can lead to more expressive code than avoiding it at any cost ever could.

@@bluesillybeard really because you are too lazy to create a new data storage for it. So you reuse the args.

@@gabrielpar3519 Goto is used a lot in C and kernel programming

There is no boundary in the memory where the actual strings are stored, but the argv array of pointers into that memory is terminated with a null pointer.

Thanks! SF mono

Same

probably just checking the length of the list would fix it

Switch to a good language until it's too late

@Synth Depends on how you define a good language. People say JavaScript isn't a good language because it allows you to shoot yourself in the foot, well C allows you to freakin nuke your hometown. With great power comes great risks. Other languages will just give an API to access args and another for envs.

@Synth it's only capable of writing programs with vulnerabilities. even the most expricened dev can't deal with it

@Synth what about rust lol? Well that's a point not using such low level languages and rely to virtual machines. C doesn't even has smart pointers, absolute trash

I think this becomes clear when he shows the code of the exploit at 12:00. It's a bit surprising that execve allows argv[0] == null to be passed to the child process.

That would break any program that modifies its own ``argv[0]`` to change its program name in `ps` and such.

@@szr8 It doesn't modify what shows up in 'ps', just what argv[0] points to. Remember, the array that is argv is on the stack. So everything it points to is considered read-only, but the pointers on the stack are not. You can't change argv[0][0], but you can change argv[0];

@@anon_y_mousse Afaics, the code here didn't change argv[1][0], just argv[1]. Same thing. The problem is just that argv[1] is an alias for env[0] in this setup.

@@ccreutzig Actually, I just had a look at the code in question. Turns out it doesn't modify argv at all. I guess I should pay attention better. Apparently, the whole bug is in calling it with an empty argv, because it skips past argv[0] which when using exec*() like this can be empty. Moral of the story with this code, is don't expect that you're being called with your program name as argv[0]. Though, I stand by my statement that you should never modify argc and argv regardless of what you're doing.

@@ccreutzig Actually, disregard most of the previous comment too, I was looking at the updated code by mistake, and it does alter argv. However, the problem is that they expected argv[0] to point somewhere that it doesn't, and they didn't properly account for a 0 length argv.

Right. It has to create n and initialize it to 1 before it can compare it to anything. The comparison returns false so the body of the loop is not entered but n is still 1

pkexec is used in GUI applications. It can pop up a graphical prompt for password, so it is basically a sudo replacement for GUI applications. Also pkexec is a part of Polkit, which is basically a library that allows application to request privilege elevation when they need it, so you can write application that normally does not need root, but for certain operation it does, and in that case it pops up a prompt requesting password from the user (something similar to UAC prompts in Windows). A lot of GUI applications use this.

Well said! Having to deal with too low-level implementation details together with the business logic makes us defocused and it's too easy to make mistakes.

Considering the purpose of pkexec, it is obvious that it has the setuid bit set.

Yer, it's the usual problem of allowing a variable (n) to exist beyond the scope that it's needed for. If you really have to use globals, you need to do some sanity checking before you use them.

Pretty sure it is 0. The number of elements (including argv[0]) before the null value.

@@HenryLoenwind Indeed. I consider myself as an experienced C programmer and I was shocked to discover that argc can be 0. Using a 'for' or 'while' loop starting at index 1 is a pretty standard way to process arguments in C/C++. Pretty much any tutorial about argument processing in C is using such a loop. There are probably thousands of applications that could be abused in a similar way. Of course, most of them do not run setuid so that should not matter much (there are far easier ways to 'hack' a non-setuid program).

@@HenryLoenwind This is what I was figuring, I just did not realize that that value was set such that it existed outside of the loop

@@cynodont7391 Is it convention to do it with a global variable like what was done in this video? That's what seems to be the culprit here

That's assuming this bug was not intentional on somebody's part. Who knows what inducements and/or persuasion is applied to those few who are meant to "insect" code for bugs?

@@YodaWhat Very good point, too. And when we look at the numbers of discovered, exploitable bugs like this, we find that they're not much different to closed source software, and are sometimes worse, with worse effect because so many people use OSS.

It's a privilage ESCALATION attack, meaning the system has already been breached or you have access already but as a low permision user and you are giving yourself better perms in order to do more detrimental things (like edit something you arent supposed to or view confidential information). A good example might be that you have remoted into a file sharing server and then as a guest on the server you run the code, get root, then add a new user to access everything with or maybe open a new reverse shell or smthn

the exploit has to be executed by the 'local' machine. That can be triggered remotely through ssh, since polkit is an exec you can reach without sudo. Not necessarily like you open an email and suddenly your system deletes itself. You gotta have a keyboard connection (like ssh) to execute this, or the user has to be tricked into executing it by hiding it in something like an app install executable. as far as how did someone find out? It was found by some nerds at a security company, so more than likely they spent a week looking through polkit's source out of curiousity and found this. Coordinated media release on jan 25th in order to give RedHat a 2 month warning

@@teal8365 Well it doesn't only have to be ssh or user error. You can also get a shell/terminal by using an attack what's known as a "reverse shell". Many languages include some way of opening up a child process or making an http request, which is vulnerable to exploitation

Not only terminal access, but the machine needs a desktop environment installed as well, because these packages don't install otherwise.. they are for popup password prompts, which are only on DEs. I manage many servers with many different distros and none of them have pkexec on them because they're all headless. If your users don't have access to those prompts (which is pretty standard) you're already blocking access to this executable as well, so they couldn't even execute it.. so really right place right time type of exploit. There are many escalation attacks when you have this type of physical access.

@@gg-gn3re I found that too be the case with allot of exploits. The most dangerous place for them to be is right at the keyboard.

why can't you?

@@ericxue3244 at max

@@crusader_ check your device, the video's fine

As explained in the video - what if argc is 0?

Presumable there's a "break" inside the loop, something like "if argv[n] == "--" /* end of parameter list marker */ break;" Um, on second thought...: "if (argv[n] is not a flag) break;" is more likely.

EMOTIONAL DAMAGE

let's go a step further and rewrite everything in haskell. we need to go back to our roots

I'm just learning rust so I'm curious how rust would have prevented this error compared to c or even c++

@@askeladden450 Really depends on the exact code. Most likely, if you tried to write something very similar, you'd get a panic on the attempted out of bounds access. Though this is really not how you'd write this in Rust. 99.9% of the time you'd just use clap (or maybe some other proper arg parsing lib) or at the very least you wouldn't determine the length of the arguments by checking for a null pointer and similar weird stuff. Realistically, this is something that pretty much every slightly higher level language would prevent. But Rust is one of the few languages that have low-level speed and access with the safety of a high-level language.

High level languages are great, but one sacrifices performance and excellent quality low level code by using them. You can't have your cake and eat it too. Saying just use this is or that high language doesn't solve this general problem. There is no substitute for putting in the labor for well designed, cross analyzed for weakness, and heavily tested code.

@@cetyl2626 "performance and excellent quality low level code" lmao try rust before making stereotypes.

Nah

@@gestaltengine6369 Please explain what you mean, because @SnakeMaster's argument seems totally legit to me.

No shit

It's pkexec. It's known lousy.