What do you think about interviews for videos like this?

Michael Cera and Ed Sheeran doing some binary exploration. Love you guys

im 12 what is this

Imagine if the developers didn't add that extra edge case for using setuid() as root... Shit this is what xkcd meant by 'we're only one linux exploit away from the world collapsing'

Waaw, happy to John as well in the video. Man you guys rock. 🎉🎉🎉

Similar to earlier PRIMOS bug allowing you to create a library with the same name as the ring 0 routine which checks if you are superuser, then load it using PRIMOS BIND before loading final system library. Your routine gets linked / resolved first, and allows checks to that library name to always return yes. That exploit was done over 30 years ago, I know because I was there, although I didn't do it myself. You'd presume today all privileged routines would have a digital signature to verify authenticity. Good job on explaining this, nice and clear.

That's amazing, using an actual existing vulnerability in a CTF!

Beautiful. Its cool to know that I wasn't alone in thinking this game is broken. The last thing you mentioned happened to me multiple times and then by hit and trial I figured that it works in sh and not bash. Bash was dropping my privs all along :D

Maaaaaaannnnn i felt exactly the same. When I started learning about exploitation (I'm still learning) . It was soooooo frustrating when I was sure all my exploiting was good but some how I was not root !!!. Now finally I know why, thanks a lot from Mexico.

The 4:20 person hiding with... bread was surprisingly effective. Rewatched that segment several times before I realized there was actually a person there (Their sleeve clips out the shot)

Wow, this video is mentioned in the CVE page.

One approach is to run the bash shell with the flag file as input and hope to see the content in the syntax error. Of course if it was an actual command to chmod your shell you'd fail to make progress.

0:00 that's gynvael in the background

suidperl is oldest vulnerability but it's still relevant

just to note, he mentioned a script by tavis ormandy and github.com/taviso/ctypes.sh was quite googleable; and that could've been used to solve the chal too

So basically, you ask yourself "how badly can you possibly fuck this up" and you're set.

Noob question, I apologise for the wide gaps in my knowledge, but does this also effect Zsh/Fish? Would it require a separate CVE if it did affect them? Thanks If you're reading LiveOverflow, I truly love your videos. Always excited, too much for a grown man, when I see your videos

I wish I could take you back into time. If I was 12 - 21. I could watch this all day :D

You can use bash loadable builtins to, for instance, get a builtin sleep function, to sleep for short times without spawning lots of processes.

So cool! It could really break many other CTFs, if you don't mind :)

would you look at that, perfect video for a paranoid guy trying to learn linux and remote management by setting up his won server with various automation scripts written in bash.... I'm starting to reconsider my sms to systemctl script :O I'm actually having so much fun messing around with my computer and android to see what I can port/"export" (like read various sensors on the phone but using the data on the server) but I've caught myself implementing some backdoor by just being lazy or ignorant. This video really shows that you can't assume that anything "standard and well peer reviewed" can be trusted to do everything right all the time! how many people read the binaries and boasted about compiling their own linux distro while over looking this "oh so simple" bug. I also love how he just stumbled on it by being extra curious, not only did he want to make up some hypothetical bug, but he wondered if anybody did the same "error" he was about to do! love it!

No surprise to see that Tavis reference :P

Just managed to reproduce it on the CTF server. Even after you guys mentioned loadable builtins, I still didn't get it, because I didn't know code gets executed as soon as you "enable -f". Is that "initLibrary" thing even documented anywhere on this planet? Oh wait, that's just the name you gave it, and the "((constructor))" tells gcc or linux or _something_ somewhere to run this when the module gets loaded? As one can tell I don't know a whole lot about this arcane C magic :P

Vulnerabilities are everywhere, you just gotta be good enough to solve the puzzle and exploit. Just to think, our whole infrastructure these days is based on these machines. I wouldn't doubt every secure system in the world could be exploited by a talented enough hacker. Collapse of civilization caused by some Python and Pearl code.. *chuckles*

I idol the 3 of you guys thanks for your teachings

I mean he calls it the worlds least useful vulnerability but I can think of a lot of systems where this vulnerability would have worked essentially as a jail escape.

Pretty tricky and cool.. Love from India

How do you create the drawing and text of the video? Do you got a program for that or is it just a graphic tablet?

YAGNI, but implement it anyway: a way to embed foreign binary executable code in your shell. What were the bash author(s) thinking?

How loves zero days❤

"-I wonder how many people feel the same way.. -I feel the same way. Like 1000% of the me same way :') "

holy bash !

I did kind of understand this video because of the similarity to Cisco User priviliges in their OS. The message was to gain back access to a priviliged mode with a bash execution , right ?

big brain moves

I love this video so informative

It looks like more a challenge on knowing parameters than any other thing to be honest

Wait, so I can escalate privileges on my school's pc? Nice!

Dont understand everything yet aber sehr gutes Video! :)

so wait, you cat >/tmp/escape.c

How do you create this video where only I can see the terminal and not the other aspects of ubuntu, like how do you hide it

linux is beautiful!

wow, did not know that enable -f has some hidden feature.

Better way of explanation

5:13 omitted to mention fsuid for Linux

Future liveoverflow:spoiler alert ()😁😁

How exactly was the Saved UID involved here? I don't see it really..

Other than this video there is no single article about this CVE id, why?

this looks so usefull, how is it not more dangerous? :D

intresting fact, Do you guys know that liveoverflow has a channel in P*rnHub. I am not kidding it is there. It is funny and there it is also this educational (seriously it is also about finding vulnerability there). Go check it out.

This dude talks the same as Tarantino

Okay....In what lang they were speaking?

So does /bin/sh not drop privileges?

#NotificationSquad

Cool trick

What the song is on your intro?

11:54 *So you can use this "here document" / "here file" [...].

user@redstarOSX.... Did North Korea update redstarOS?

John Hammond

good

With all being said..could someone exploit 6.20 🙏🙏

I could barely understand a thing in this one. Will this get patched? What does that mean for all Linux systems out there?

Cheating with a library initializer? How brutish. The elegant solution is clearly to implement a proper built in that lets you specify arbitrary userids to use.

flag_haver... which means... semaphore 😁

Very nicely done

Using SHA256 for hashing passwords in 2019? Since they are using a high entry password they should be using Blake2.

IKTFB

Hi

Can you add a link to more information in the description?

Usually when a video is first posted, there're more comments than views. Not so here. It appears KZbin's scared to mess up on a hacking channel (-:

Ed Sheeran 14:46

needs more fab and uloos

This is inherently a shitty CTF problem because the description was absolutely useless. This challenge was created because the author wanted to brag and get attention for finding a vuln and wasted everyones' time while doing so. I hope Google doesn't let this happen again.

bash != sh ..

ph4t

lmao! the guy interviewing has no idea what the author is talking about, his face is priceless haha..