I would buy a good ghidra course.

"I can't believe a company isn't held legally responsible" XD

Any chance you will be offering student discounts in the future? I’ve started doing picoCTF and hackthebox challenges for a school club and think that the courses would be great learning resources for building applications with c but the price feels a bit too prohibitive

How long do you expect a company to support their software after EoS/EoL?

bro. you have the style, you have the knowledge, and you have the courage. I liked your talk, your analysis, damn how I love these videos...keep going.

Exactly. The person who wrote safe_system probably got into arguments with the person who wrote account, who told them to not to worry about it. Some manager then told them to ship it and move on. Then the manager got their bonus for delivering on time.

@kapstersmusic I would assume the person who wrote safe_system never saw what the one who wrote account did. That would be gross negligence to not replace these 4 lines with their better, ready-made equivalents. Safe string processing is part of the standard, and safe_system is just there. Even without changing the string processing, just using safe_system to make sure the exploitable buffer overflow isn't literally ready to use as-is would be 2 seconds well spent. The security researcher would have maybe spent hours instead of minutes to get a working exploit.

The problem is not one programmer not being up to the task of writing safe code; or people talking to each other... the problem is quality assurance and testing. A company should never assume that a person doesn't make mistakes, it's about validation and testing. And D-Link apparently doesn't care enough about the quality of their products.

@@Exilum I would guess safe_system is from some sort of library, and the call to it was copy-pasted, but the account program was new and written by someone trying to only use the C standard library or sth like that, maybe because they didn't know how the Posix API worked, would be my guess.

@@svaira Or the other way around where the account software was from an older era some 30 years ago where things like this didn't really matter since it was executed from the root prompt.

they are just playing multi-dimansional chess 😆

XD 200 iq

@@dave7244 but the bug was present on day 1.

@@dave7244 The 340L was released in 2015, and according to the dLink website "This product was phased out on: 29/10/2017", so maybe they were available for sale until then (and maybe even after that date from some retailers).

@@dave7244 Are you using D-Link's suggested NTP server? en.wikipedia.org/wiki/D-Link#Server_misuse

//"D-Link US recommends retiring and replacing D-Link devices that have reached EOL/EOS" - To which every owner should say, "No problem, I'll replace it with a different brand".// ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^6

I agree.

" replace it with a different brand". Why? To have a bug from a different company? A bug which will be there for a decade, discovered only by hackers? Never buy a 'NAS'. Use your old PC, install TrueNAS on it, put it into its own VLAN and call it a day.

@@temp50 Most companies do emergency patches when these kinds of bugs pop up. Even microsoft does that.

QNAP or Synology should use this as free advertising for their newest kit

@@FrankEBailey WTF are you? Buy the stuff and install firmware, that can be called that way: OpenWRT !!!

​@@FrankEBaileyI think Synology had a zero day like 2 weeks ago

​@@adammontgomery7980 was the zero day as stupid as this one?

@@dancom6030 its not the first...

The CIA was too busy trying to kill fidel castro...

Semantic arguments are fun, but that's all they are. Backdoors target vulnerabilities. Vulnerabilities are bugs.

I think they’re implying it was intentional

@@himothanielCondescending responses to comments you don't understand are fun, but that's all they are.

You can read condescension into my comment if you like, but there wasn't any there. A small joke went over my head. I can acknowledge that.

Now this is bug fixing

lol that is amazing maliciously fixing bugs its like bethesda game modders.

Might as well install a webshell while you are at it.

Great idea. Shame its a read only file system. Shouldnt be upto the fbi or whitehats to fix easy fixes like this.

That was my initial thought as well. Seems this could be fixed rather easily, even by "hackers". The guy running this channel could probably make the patch, Linksys refuses to do, in a matter of minutes.

Nah, said bloke can scour the internet for eol products to hack. Win win.

@@bmanpura maybe, it would certainly teach them a lesson, but if your a genuine pen tester/bug bounty hunter your risking your career doing shit like that. The amount of attribution and tracking sites these days is insane. One example, I wrote a little article on footprinting Imap/POP3 mail servers last week. I googled the article the next day to find that id been entered into an International cyber threat database. The bot armys are real af bro. They had entire maps and models of endpoints and systems just from my write up.

Now he's mining bitcoin on your NAS, so whatever.

😂

I got a free replacement switch after finding a backdoor in D-Link.

Even if they audited the code they wrote who’s to say the unix utilities calling were audited. The usernames etc should have been sanitized to remove any non alphanumeric characters, so their safe system is anything but safe. Anyway it was a great video. Even with input sanitation, the fact it is calling other programs makes it a crapshoot.

@@richcole157 It looks like the vulnerability can be triggered through the `pw` field and it is much harder to sanitize it in the way you suggest for `name`.

Do you really think they have _teams_ working on that? More likely one part of the code was written by one overworked guy at one time, the other part written by another overworked unqualified guy at another time, and all copy-pasted together by an unpaid intern later ...

@@memyshelfandeye318 Well, that's like 2 teams right there! :D

@@IvanToshkov good point.

That should not be hot take at all. If aren't making money on your copyrighted thing, what are you protecting it for? Kind of same with games. Your game is not officially available for purchase? People get to crack it and share it freely without consequences.

​@@tyrannosaurus_x Yea honestly that take developed because of stop killing games initiative in the first place. And not even about "Me wants to play games that aren't available" thing ( be it it's still valid approach) or that company isn't making money anyway, i mean questioning how system works in much broader way. We as society agreed to protect data, (art work code, design so on) (which i'm not against to be clear, my problem starts and ends with how system work currently not with existence of system) and at this point we agreed to do so at ridiculous time frame, Mickey Mouse famously entered public domain in 2024, a artwork from between world wars period, i'm from Poland, in our calendar that's like two invasions ago, neither of my parent's were alive when it came out, and they had me at ridiculous old age, they grew up in different world, telephones were rare, cars too, country was still firm in grip of USSR and iron curtain divided Europe, i grew up in free Poland, wit ability to free travel across Europe because of shengen, with internet access since i could remember, YT raised me as much as mu parents did, it gave me skills to get job as programmer. My father born in 1945, after Mickey was created, and died in 2018 before it entered public domain. I tell you all this to hammer point how long time frame we're talking about, and how much of commitment society gives to copyrighted work. Even if it was out of print for years, even if original company isn't supporting it since decades, last entry in IP was made before my country in it's current form was established, it stil will be protected. In return(and i'm talking mostly about video games, but somewhat applies to software in general), they mercifully allow us to rent their software for unspecified amount of time, for usually not so small sums of money, and usually with right to take said license away at a whim without a reason. Again, not for abolishing copyright entirely. But i think in current situation "tail is wiggling the dog", and either copyright retention shorten, new causes for artwork entering public domain established or both. (Perhaps it should work a bit trade mark, if you don't use it, you louse it.)

it's a 14 year old NAS

@veryCreativeName0001-zv1ir and you're point is ?

This is a great idea! Added to the list of things I'd want to change.

You probably hit the most likely explanation. Unfortunately, the bigger problem is D-Link unwilling to update it or at least send out a crisis report to news agencies to let customers know. I did see someone hint at mandatory open sourcing for deprecated software. I think that would definitely help, because the person who finds the bug could patch it. Maybe we need to promote open source routers now?

Open source radio transmitters have a remarkably hard time getting FCC approval... Qualcomm isn't the _only_ reason Qualcomm radio chips continue to use closed-source code. It's really annoying; the efforts to block true direct mobile-to-mobile LTE, were so coordinated, one could almost be forgiven for mistaking those efforts as good-faith "interference prevention". Open wireless is anathema to regulation; it's been stomped on, one product launch after another, my whole life or more.

@@prophetzarquonThat’s not an accident. Lobbyists love regulatory capture. It’s all by design that OSS firmware cannot be used on RF systems. By design of the companies that have vested interest in selling us new stuff all the time.

I maintain multiple servers and my go-to rule with even throwaway shell scripts is that all input must be considered unsafe. Always encode data as data regardless of the programming language you use and all injection attacks immediately vanish everywhere.

And the team that wrote the HTTP server, if there were teams, didn't take the time to understand HTTP. And the lead designer of the configuration API, if there was one, didn't push the big red button to stop this and do it right (and more simply).

And any attempt to pass consumer protection would be lobbied (read: "bribed") away by the powerful corporations that would be impacted by it.

@afjer this is why people become cyber criminals, stupidity

No consumer protection law protects your from end of life products. In fact in Europe it's only 3 years warranty for a new product. Some pro or enterprise products get 5 or 10 years warranty but then consumer laws don't apply because the buyer acts as a company not individual.

Reminds me of a time a car dealership sent me lottery thing in the mail. Said I won a $50 gift card. Had a number to verify. Verified as valid. Walked into the car dealership and it was a "raffle" with the winning numbers already picked. Mine was not one of those numbers. Told them fuck you and that I'm never coming there again. The kind of idiot that looks at and buys a car after that is next level stupid.

Neither does the Mafia - thanks for the Goodfellas quote.

@@play-good "sorry,we sold it to you,so your problem now"

@@92sieghart D-Link, the last big company around that still respects ownership 🤣🤣

.oO( Who did buy that s. in the first place? ... ROTFL )

at least open source this sht

Kind of true, yeah

Synology has it's own security issues unfortunately. Their security settings page forces you to give a phone number for 2FA setup, but SMS 2FA is easily exploitable.

Synology give up 10% margin? Who are you kidding?!? 🤔

As long as you keep using EoL devices, that's on you buddy

@@BotDetector-44 what are you taking about?

@@dynad00d15 Just ignore him - he's a D-Link salesman!

@@dynad00d15 I'm assuming that was sarcasm. I'm _hoping_ that was sarcasm...

@@sootikins Right, because manufacturers update their software after 14 years from their initial release date. You guys might be some retards or a bit clueless how things work when producing hardware and software components but hey, I'm a salesman, you got me

But D-link is just A subsidiary of netgear, which own A good majority of home routers currently distributed.

Yes, it is truly astounding. I've done some PHP programming for myself and some friends, and did some professionally a number of years ago. One of the first things I did was write a shell command to read all PHP files and find all instances of "if X = Y", and I used that shell command during and after each programming session to ensure that I never accidentally assigned a value when I intended to query it. Checking for calls to system() would be similar (I never used system calls, so I never needed to do such checks, but it would have been simple to check for them). If I -- a single individual -- could do some simple checking and validation to prevent problems, then surely a corporation such as D-Link could have done so.

@@nullvoid3545 What? No it's not. D-Link is a subsidiary of the Taiwanese Steel Group. They have no affiliation to Netgear. Why would you post blatantly false information like that?

@@nullvoid3545 this is what happens when a company is a monopoly (or almost one).

​@@nullvoid3545Netgear and D-Link are unrelated companies.

Exactly how many "competent" organizations do you think exist now? Three? Four?

Before the first time, hopefully.

Took their development queues off Crowdstrike.

@@BTrain-is8ch I misspoke implying that a "competent organization" was even a thing... But a lot of industries are regulated/audited kinda hard for IT sercurity and SDLC stuff. If 100 CVEs popped up that were caused by D-Link I would expect there to be a lot of places cancelling orders/contracts... But I guess D-Link is 100% discount consumer hardware if they can afford to not care and not fix it. You don't have to worry about what you do to the general public.

For clueless - xkcd reference. Someone embedded a "Drop table" command in child's name. Deleted main database at school.

Like a day 1 training scenario lol

@xmine08 - That is "Little" Bobby Tables to you. 😂

I had once a dlink router, and it was losing connection about once a day, so I had to unplug and plug it again. I decided to update the firmware, in the hope that it would be fixed. After the update, the connection was dropping every 20-30 mins. Horrible experience. I installed de-wrt (which fixed everything) and never got a dlink device ever again.

This server is running as root (or the CGI binaries are setuid) if it can add users via a web request.

Id believe it. Like immediately after some companies want you to upgrade they say "hey there's a backdoor you should stop using the product or your product is gonna be 15% slower" Spectre and meltdown, windows XP, apple battery health, etc are ideas that come to mind.

Microsoft refusing to patch critical vulneralibity is how Windows 7 got abandoned. The idea have been around.. _Activating them is a new level of evil_

1. Push a "security patch" 2. The patch actually contains vulnerabilities, on purpose 3. Profit

Ah yes, the μTorrent v≥3.0 approach

Forced obsolescence? They were obsolete before this disclosure. They're 14 year old devices. On top of that, one should NEVER use a consumer branded anything for anything actually sensitive or mission critical. These devices don't have redundant power or controllers. Those interfaces/ports/protocols shouldn't be exposed to the internet anyway. If you actually put one of these open to the internet, that's on you, not D-Link. If it's NOT exposed to the internet, in order to exploit it, you'd need to be on the local network already, in which case, you've already been compromised and you're fucked. This is something that should absolutely be fixed in any still supported devices, but end of life means end of life.

Dude, the physical locks thing is so true. When I found out about lockpicking, I took a thin, flat piece of metal and just raked my apartment lock. In 30 seconds it was unlocked. Most locks are a joke. 😐

I do both (locksmith/safesmith and pentesting). None of it works XD

@@capturedflame XD

I was in disbelief about the "cut off a Bic pen & wobble it around in the keyhole" method for circular keys, so I tried it: Took me ~12 minutes the first time,

@@prophetzarquon Haha. This is the funniest example of car security: kzbin.info/www/bejne/jH_HqpqdqqaAh6M

@speedweasel yup, a junior tech should never be blamed for something like this. If a junior dev is accidentally able to get such a bug into production, then a senior dev with bad intentions DEFINITELY would be capable of doing that as well. It's up to your pipeline engineers to make sure that CAN'T happen.

@@rikschaaf There is no such thing as code review in Chinese software development world in many places)) Nobody looks code, they just make it work, do some stuff to pass manual and automatic tests and this all. And because there was no code review for years they can't start doing it effectively because everyone is more incompetent and can't spot other people bugs just by looking code (this is separate skill which require not just technical knowledge but also able fast understand code and see whats can goes wrong) Also code review would kill they productivity and increase cost, so for them there is no reason to introduce some "bad" practices from financial perspective)

When they refuse to fix it.

Same experience here! Worked for a small aerospace R&D company as a dev & IT consultant. After many random LAN outages I got them off D-Link switches entirely. How garbage are they that they can't even build a 100mbps switch without messing something up?

Not like this. If you are going to do that then you should have security measures that can authenticate and restrict what can connect to it.

@@flarebear5346 Yes, I know. But which end user knows this. And now the vendor name is in the press again an they can start their next product. Always remember, "The S in IoT is for security" (Need to find this T-Shirt for next week it must be somewhere. )

lmfao

You shouldn't have the nas open to the public internet, especially not your admin console. You'd want to have an authentication layer in front of any requests to the applications on your system, or better yet, only allow access to your system through a secure VPN. In the case of this bug, you wouldn't be able to send a request to (target IP)/cgi-bin... if it wasn't already open to the public internet (which again, it shouldn't be), but if it was or say you're connected to the same network, then your whole machine is wide open.

Just run everything on the local network and have wireguard to connect to it

@@bparker06 well it was. Even PHP worked/works like that.

In your defence, I've seen more Perl scripts as CGI than bash ones :-)

That is probably the case for these sorts of "UI glue for small devices"

C, Bash, and Perl are the typical ones.

I used to have a shell script to redial the internet set up as a CGI. Anyone on the LAN could reconnect the internet as needed that way. We paid per call back then for local calls, so doing it this way made it convenient, but saved calls at night when no one was using it. There was a 4 hour session limit on our ISP.

they are like hp lol

Most importantly what both Extended Support and EOL mean is also decided by the manufacturer. Just like alpha, beta and early access at the other end of the lifecycle. Those are just tag names meaning your expectations should be lower than during active production phase. But how low only depends on the manufacturer's will.

Dumb switches are one thing. No one should be using D-Link for anything more than that. There's plenty of much better stuff available in the NAS or higher end consumer networking market for not much more money. I'd rather get a TP-Link setup and a Synology or QNAP NAS, but if you just need a 8 or 16 port gigabit switch? Buy whatever is cheapest because it'll work fine.

Lol!

i like the todo dir probably more exploits explained right there for one to just try

You think they did code reviews? Dlink in 2012 probably didn't even use a code repository, let alone agile development.

"It's not even snprintf!" I cried. But even that wouldn't have made it better since the quoting is completely unsafe.

Queue penetration joke?

Gives code injection a whole new context innit

This device is way older than 2022 so I'm not sure what your point is.

Well I mean the certification is called "BS xxxxxx" for a reason 😃

You can't say they "never thought of it in security perspective" when they actually have a "safe_system" command to cover this exact security issue that is actively in use in the same firmware and even in the same operation.

Anyone who doesn’t take security seriously has no business being a vendor. Samsung and SONOS I’m looking at you.

He did mention that in the video too but the low hanging fruit is the system call. I mean both need to be fixed and are right next to each other. Not sure how people are going to do that though, if at all.

@@steveftoth by buying a new device - D-Link

Please place your checkmark and then try again. [ ] I watched the whole video

No one cares. Probably there are s lot more spots to cover in the firmware. Why would you want a buffer overflow if you have system calls at your hand

Place holder for uname n pass

You don't need a willingly designed malevolent hidden agenda to explain what is just plain stupid greediness. Most likely someone in D-Link's sales department thought it was a good opportunity to sell new devices to ancient customers with no effort and make some easy sales commissions. Really all you need is someone with short-minded KPI drive and no incentive to build a high reputation for the company on the long term.

🤨📸

@@drgabi18 its a proven fact, thats why so many streamers wear them and why so many vtubers have them on their models

@@corvusnocturne Kai Saikota and Fauna are the only vtubers I know that have one, except them, I have never seen anyone with one Eric Parker has kitty headphones, so Low Level could learn from him

Stop it. Get some help

There is, but you've become so good at reading it in your head that you can't tell anymore 😂😂😂 Go test if it works with assembly as well 😊😂

@@showmeyourcritz321where anything related to base64 happens?

Mc0Ca

​@@jyothishkumar3098"McOCa" is 5 characters base64 encoding length is divisible by 4 5 is not divisible by 4

It’s not base64 encoded, it’s url encoded. He was just wrong.

Collared

@@Chris-on5bt Yeah but still, the question remains: What? :D

Considering the patch seems like it's just changing the account stuff to run safesystem instead of system and that would completely prevent people from being able to run code on someone else's device it's still pretty crappy to just not do that very easy fix no matter how long it's been EOL.

@@ericgoodman3510 You sure you wanna go down the rabbit hole of arguing how long past selling what was a bottom-of-the-range NAS its manufacturer should support it? Especially when its got a community run alternative firmware/OS that isn't vulnerable to this?

​@@LAG09 Sure why not go down that rabbit hole? Because the literal first question is should they be responsible for patching it if it had been discovered less than 24 hours after entering EOL? The obvious (unless you are a piece of sh**) answer is yes, a vunerability of this magnitude should be patched if the product has been in EOL for less than 24 hours. Since that establishes there is clearly some amount of time after entering EOL they should be held liable for not patching this magnitude of a bug then the next question is simply for how long after EOL should they be responsible? Well in my opinion they should be liable for as long as the patent is good. If you think that's too long of a timeframe let me repeat the point that LLL already made in his video that EOL is determined solely and exclusively by the manufacturer for a date that is completely arbitrary. If they don't want to be liable for fixing a vunerability of this magnitude then they need to publicly announce they are no longer interested in protecting their patent opening the door for any other manufacturer to step in if they desire because as long as they are willing to sue someone if they create the same product then they need to be liable for when their product contained a bug of this magnitude when it was still being sold and not EOL.

I don't like D-Link, at all, but I completely agree. For all we know, their engineers discovered this among other things, and that's WHY they killed the product. Corpo's would never call an end of life without immense pressure from the engineers, not while there's still any free milk left to squeeze.

It's not an excuse to not inform the public if the info was made known and not allowing for the community to fix the bug on their own. If anything, they should write that on the product box with the warranty. If the product is out of warranty, you are at risk of your devices being hacked and the company will not make any further patches to protect you. This is not apparent to any consumer, because we don't know the End Of Life ahead of time and no public announcements are made. Maybe this more of a legislative issue regarding packaging, like food expiration dates.