Name a more iconic duo than Windows and backdoors for federal agencies (you can't)

>Windows Has a Critical Command Injection Bug Yeah, it's called windows

Next week: 10/10 critical bug: the coffee maker is broken!

fun part about this is how we've known variables enclosed in % are vulnerable to injection for decades at this point (along with %num or %*) people never learn i suppose

I love how log4j is now most commonly used as a reference to CVE, not library itself 😅

If this bug was called 'clown makeup', then the headline would be "Clown wears clown makeup"

"Java: Won't fix"

You will eat zee bugz

"There's this new 10/10 vulnerability on windows man!" "Oh yeah ? Can you reproduce it ?" "Yeah! You need to sacrifice a goat at midnight while it's a full moon, then wait to get struck by lightning. Once you're at the hospital and you see the doctor, you need to slip this magic medallion into his pocket, and then you need to have a baby with the nurse. Then you'll get remote code execution on your computer. This is abhorrent man." I still think it should be patched, but 10/10 vulnerability ? lol, it just desensitizes people who are less informed about IT security. ;o

Shout out to Frostb1te for releasing a PoC early on. I bet there would've been a HUGE panic if no PoC was released and the 10/10 rating went through people imaginations.

Imagine not sanitizing inputs and then beeing confused to get remote code execution. It's like people have forgotten about sql injections

By the way even Windows APIs find it too difficult to encode separate args into a command-line string. You can get the arguments out of the command line string by calling CommandLineToArgv but the windows APIs provide no encoder (i. e. there is no ArgvToCommandLine). Rust got the implementation of this encoder wrong. (ya see folks, microsoft wisely did not even try)

It doesn't really matter if theres any privilege escalation because average winddos user will run everything as administrator anyway

Sanitization of user input is always the developers job, not the language. Calling this a 10/10 critiral vulnerability is like saying that every language you can think of for web development with SQL bindings has problems because SQL injection can be performed if you don't properly sanitize the inputs. It's not the fault of the language.

This is overblown, this shouldn't be 10/10

7:15 if there is a program that does this, then it runs on Windows Vista, is written in Java 6, and specifically relies on this bug to work.

Well, the liblzma/xz bug did certainly not backdoor the "ssh process for most of the linux servers out there on the internet". The bug was found shortly after it was introduced and is not compiled into every version of sshd. Unless most servers on the internet use a bleeding edge version of the library, few servers was actually was affected.

Nice Wojaks. Not sure if anyone else has complimented the channel’s use of wojaks in its thumbnails.

Why tf would you call a batch file from any other language?

Bobby Tables strikes again.

"Won't fix" is code for "skill issue"

LMFAO i love how u replaced rust with windows and i agree

Future programs should be memory safe (and contain our backdoor).

This is the best timing. Right during the lunch break of your average wagie:)

He really said "cmd.exe is bloated"... Like is it though? I have no idea, I'm not the type of nerd to judge that but it seems like a bit of a hot take...? That line would feel right at home on an "avarage linux user" soyjak meme, is all I'm saying

It's not a bug tbh, the code does what it supposed to do, you can write the same code in cpp or cs and expect the same result.

You are very wrong about how common or wrong this pattern (user input to shell) is. This is super common, mainly when a software needs to call utils like ffmpeg or whatever, and that is quite often based on a file path the user inputs. Sure, the app should always verify the parameters instead of a blind injection, but still very common and not an issue or stupid idea like you are saying.

Thanks for making this clear 🙏

mental outlaw is a rust dev now 👀

Lol, reminds me when people were able to open the cd drive of those playing counter strike in the olden days...

This bug would be fun to set up in the THM room about command injection. It had an example of a website that pings a domain to see if its up and showed how you can use escape characters to run other bash commands. When I was doing that room my first thought was "but who would just pass arguments straight through to command line from a website?

On another note, I love 2:36 with the second person manually handing over a normal, presumably *disconnected* keyboard for them to type on.

I would have loved to also see a demo how after an update to Rust 1.77.2 the command execution no longer works.

I think I remember similar bugs in PowerShell back in the day...

How is this a bug in the caller? They pass along the entire string as first argument, like: execve("my.bat", ["text\" & calc.exe", …]) Looks like batch, PowerShell, or whatever that is, first assembles the line and only then parses it for execution, now finding two commands.

now we call all laugh at the people who said "thats why i dont use linux"during xz

If mistakes when using languages like C++ are considered a flaw in the language then this is also a flaw in Rust and a Windows vulnerability. Corporations want to use code monkeys to pay them peanuts, they don't want to pay for professionals. That is the real problem.

I disagree, it is not a Windows issue. I don't know why this is being flagged as a Windows issue, as it could easily have been a problem with other operating systems if following a similar pattern. It's the developer, not the OS's responsibility, to sanitize user inputs. No clue why they rated this 10/10. It's a bad bug but it isn't 10/10 bad.

Why do you call it a bug? It's obviously a feature duuh

Great video Thank you

A really common place you'll find people passing user input to batch files is gonna be wrapper scripts that set up the user environment prior to invoking whatever command was provided. I can think of a few common programs where the user always interacts with it through a batch file to make sure there are never any dumb errors due to environment configuration. If you expose one of those to a web service like a continuous integration build service, maybe you'll have something to think about.

ok well, what if I like bugs?

So basically most normal people were not affected by this bug but now we know for sure it’s window’s fault😅

I don't see how this is a Windws problem. CMD does exactly what it's supposed to do.

Ah, yes the rust NSA backdoor’s been finally found I can sleep well knowing my windows 2000 server instance is safe

hi kenny... could you please do an update video on the best recent practices of VPNs, like openVPN, mullvad, and wireguard (now that i'ts becoming older) and vultr hosting (this one, I don't think your referral code still working), doesn't need to be about installation, just on overview. Thanks

Estos dias se estan poniendo buenos los cve, ojala sigan buscando par cosas como estas

Log4J was a mistake caused by feature creep without feature config defaults that were rational for an open source project that wasn't properly funded and supported by the community the ssh backdoor was intentional attack using next level social engineering with complicated obfuscation on an open source project as well

World: XZ backdoor vulnerability MO: Let’s talk about Windows Vulnerability

You know thinking of different coding languages and knowing that one day they will basically end up at the same place, it always takes me back to those futuristic cartoon and TV shows from the 80s and 90s where someone executed something on a computer and there is some very slow moving timer or meter crawling across the screen despite the fact that we know that far in the future commands should be executed nearly instantaneously. Makes me wonder if this future code or computer infrastructure has resistors across computer connections that allows or requires arbitrary amounts of time to pass before a command is executed in order to prevent a bunch of instantaneous actions from occurring that humans wouldn't be able to prevent or detect similar to what you would see in a bunch of updates processing in Linux via the terminal flashing by. Data resistors. Required security feature in the future

and in linux the xz hack didnt really make it out of the testing environments other than arch which wasn't effected.

This month is crazy for vulnerabilities. Good to know that they are being revealed before non-federal agents use them.

You’re gonna post a full video on this but not FISA 702????

Ah, so nothing of note happened at Microsoft. Good to know, thank you for informing me!

One problem is that the libraries of these programming languages hide these shell shenanigans behind something that looks simple and reasonable enough so that any useful docs, if these exist, will not be read carefully, if at all. First and foremost, they offer some sort of arg list/array that reinforces the expectation that arg handling/escaping will be done by the library - as it should be. This whole cluster f"*ck is unnecessary anyway. Windows, like other MP OSes, does have a Win32 API for direct process creation without cmd.exe (shudder). Anyway, anyone who gets bit by direct exploitation due to lacking input sanitation earns part of the blame.

If you want to be safe from Windows Command Injection Bug, just don't use Windows.

I thought the video was gonna end when he typed shutdown lol

That rust library is meant to do that. It will run commands you give it. Wouldnt call that a vulnerability. Watch the video by lowlevellearning on the subject

Scary how much of the software we take as granted can have such critical flaws since only God know when

I might have written something years ago, that is vulnerable to that. Don't know if I still have the source. It's a small spring boot web app calling wkhtmltopdf like that which passes a URL from user input as command line argument. And if someone like me has done it, I don't think you can "count the number of vulnerable apps on your fingers and toes" anymore.

Excellent when access is already gained ....

Lmao the way that works id definently say some type of 3 letter word agency.Its just so funny how you did the paint.exe,

you help me fall asleep thank you

is that why the government endorsed rust?

wonder why the whitehouse was pushing for rust over C LOL

Kinda wild that its really just a flaw in cmd exe but people instead blame only Rust. Crab haters, man.

I mean, unless you have total memory encryption any OS is susceptible to a well carried out cold boot attack.

this actually is not an issue windows administration catches bat commands executed without hierarchy in the normative case, a file would need to ask for access which kicks in a user prompt. Outlaw's verification is using an application that already has full permissions.

man.. i log4j feels like forever ago

10:57 now, he wont freebase cocaine if he's driving, and it's a sunday.

Was that XP you were running? Based.

There needs to be a 10.1 rating for “oh shit nuke everything this thing touched” which would be XZ.

To get your day started.

Why is Java 8 still being worked on with latest update being released in January of this year?

It's not a bug ffs

Haven't made a bat file in fourteen years lol I did the math on the last time I needed to. It was to configure PDAs used by my old organization's supply chain. 🎉 Fkn PDAs family 🎉

Anyone know what keyboard he uses or what type of keys sound like that

Kenny can you make a video on kicksecure?

2024 is the year of the 10/10 CVE, apparently

I might be missing something but how is this a vulnerability if to use it you have to design an application in a specific way that allows users to send arbitrary commands, which are stored in a bat file by the application and then are run by said application with no checks at all? Do all DBMS have a critical vulnerability because you can do SQL injections with poorly written backend code?

Can you link the articles in the video description?

Dev: There's a pretty nasty bug in you software that allows remote execution. Java: That sounds like a you problem. Git gud.

10:55 Meer alcohol doesn't thrill me at all. 🙅❄👃

I somehow actually encountered this piping commands to a c based string processing program through python. A little strange people consider this a 10/10 vulnerability. This is at most like a 3/10 vulnerability with a 10/10 skill issue involved.

Rust and windows? Is it when wsl is enabled?

Does anyone know any useful USB tools for computer analysis and any general information gathering that works with ventoy. I'm setting up an drive for repair and diagnostics with a few ISO files for installing linux and Win10, but I've yet to find any useful tools that are compatible with UEFI. I'm running a laptop that only has 32gbs of storage space, and 300nb - 2gb of space available at any given time "thanks to windows and HP bloat." I'm also considering switching to Linux (Ubuntu) to replace windows because of this issue but I need these tools incase anything may go wrong. I don't have space for backups other than simple data from browser prefs, keys, and codes that can be written in a text document. PS - My drive currently has around 6gb free so I have some space left for downloads. And I'm seriously tired of low space warnings and performance issues due to low space, please debate with me. Oh, one more thing, I'm stuck on an update from 2020 or lat 2019 thanks to this. I'm limited to my USB that is used to save senstive data and I cannot risk formating it, I only have one available at the moment, low class citizen here asking for help.

I'll put this out there: cmd.exe argument escaping is NOT the same as a program using UCRT (most programs). Windows does not have argc+argv; and UCRT emulates them following a rule. cmd.exe inherited an arcane escape rules that is ever so slightly different. The (IMO) ONLY way to escape properly for cmd.exe is to use the /S flag (iirc). It removes the first quote and the last quote of the command line string. TL;DR: blame Windows for bad design, and blame them for not addressing the bad design, and then triple blame them for not publishing THE LITERAL FIX THEY HAD WRITTEN as a part of Windows API.

old bug... use ^ char to escape the " char, just like using the \ char in bash (backtick ` char in powershell)

I kinda don't consider this a bug to be honest.

What happened to libre podcast?

> Media telling that the entire Linux ecosystem is compromised for xz. (But was only experimental branches) > Windows:

Link to the threat level page please

So I have seen this in Lua projects all the time.

Does this exploit still work if the line with "echo" is removed?

This is such an off case user situation that I can't even start to understand where someone would actually use it. Think of this, a RUST Server (Weird, right) taking user input and passing to .bat??? X"DDD I can't even understand why someone would want to do that. Also, when you've noted that this is "Not something you can handle with user input handling" I highly doubt that it's that difficult to sanitize the input. Besides, who in their right mind would even invoke .bat from rust, it just doesn't make sense to me. Using a low level language to invoke and script a super old CLI Language. I agree how you noted "You can probably count these on one hand".

some people think crabs look like bugs FYI

Sounds like a windows issue. Glad I switched

reject modernity. embrace history. reject Rust, embrace C and assembly

jokes on you my command prompt and power shell in windows are broken hahahaha i swear the environment variables or something are messed up hence almost every command is broken haha ):

Ah yes the motto of microsoft: better sorry than safe