this is a warning to anyone using php

actually the white house said C is unsafe so I will use Rust 🤓

UTF-8 and UTF-16 are actually full Unicode.

Any course on programming Rust safe? While interoperability with other languages like C/C++

Have “PHP” in the title
Open cve link
A glibc bug
If this is not a bad faith argument and clickbaiting I don't know what it is.
Unsubbed, disliked, and blocked this 🤡 from ever showing up on my feed again.
I suggest you all do the same.

@@jongxina3595 I don't trust the White House. Rust is probably a trojan created by the FBI

"...that basically lives on every Linux distribution" and another!

*whiny voice* You guys... drinking this much is how these C programming bugs happen...

@@jim0_o vicious circle eh?

php = personal heap overflow program

@@monad_tcp more like phop :P

its a little bit of both. ive been making videos about bugs im hearing about, so you're definitely seeing more because of me. but also my feeds have been blowing up with articles about bugs recently.

@@LowLevelLearning And thanks for that! I've been enjoying the breakdowns you've been making

Someone commented that April is month of exploits

it is recursive. Articles about bugs drives people to find bugs to create more articles, which drives people to find bugs to create articles.

@@LowLevelLearning Where do you get these news?

proot

yes, the NSA and their international ally. In the case of xz, they tried to blame the Chineses.

​​@@eng3dMossad, aka 'is real'

Proot

The ain't using php anymore, they switched to Asp

It sounds like some Star Trek technobabble that some writer came up with

What is charset and what is RCE?

@@TheJackal917 Charset: character set, think ASCII or UTF-8
RCE: Remote code execution, where an attacker can execute arbitrary code on a system

@@treevor1 thamks.

that phrase rolls like an epic dis from a nerd rap track

Man, I wish I could upgrade all my clients to 5.6.

@@Betacak3 feels good to be the admin too. I switched all that stuff to 7 and then 8 years ago lol

*lol* To be fair: update politics have changed to the better with webspace providers / managed servers. In fact were making a lot of money atm migrating systems to PHP 8.2/8.3 because many providers are charging extra money for "legacy" 7.4 support.

Rip 😂😂

@@prima_ballerina my current projects: upgrade two websites from php 5.6 to 8.3. Easiest money for my boss in the world

Someone left the nsa lately? 🤔

Availability bias, CZcamsrs saw that the XZ vulnerability (yes an actual crucial and scary one) did well among viewers, so now every vulnerability under the sun is being posted about. I would bet on it being a trend in posting, rather than a trend in actual vulnerabilities. Just something I see, I could easily be wrong

​@@-Ldcould also relate to more people being sceptical of the software they use and thus looking for vulnerabilities

@@plaintext7288 the most insane vulnerability I've ever seen in my life (look up operation triangulation) came shortly before (what I consider) this recent trend, and it was not well known. The best documentation was by the firm who found it themselves, which had around 1k views. Basically the attacker could send a text to someone (unopened), and instantly get kernel access to their iPhone, so if you have an iPhone, you were 100% compromised unless iMessages were disabled. If this happened a week ago, I would speculate that it would be more well known

@-Ld I don't know why vulnerabilities wouldn't always be posted because a lot of people want to be hackers and the well-paying cybersecurity field is continuing to grow massively.
There could be an uptick in vulnerabilities because people were inspired to look for more of them. The collective power of humanity is wild.

Hopefully people already know their systems well enough to know how to install updates, but yes, realistically in most cases it'll be a backported fix to whatever glibc version you already had.

If all the dependent packages are not ready for an updated glib and it’s not listed by your package manager when you check for updates AND you force an update on glib, couldn’t that essentially break your disto?

Came here to say the same thing.

Heros don't always wear capes

That’s my understanding too, this does not seem isolated to PHP whatsoever.

That all depends on how those other systems implement functionality for character sets and HTTP headers. The bug in PHP is specifically related to PHP's use of glibc's iconv() function. While it's possible that other systems use iconv() in a similar manner, and have similar vulnerabilities, it isn't guaranteed that a web request sytem that depends on glibc is vulnerable. Other systems could be using character encoding conversion mechanisms other than iconv().

This affects every binary that links to the iconv() function. However not all implementations will have an RCE exploit, just a possibility of one. So they fall under the lower rating of 8.8 until one is found.
Also I would guess this exploit makes heavy use of the way PHP makes use of path-variables for passing data. Not all request systems are as liberal nor straightforward in the way they do this.

I think the point is that in the case of PHP the researchers managed to find an exploit chain that started with this bug. Until their research is published we don't know where else they tried or how hard they tried.

However, the code for the exploited function is most likely the same in musl.

@@tripplefives1402 No, the code in musl isn't most likely the exact same. glibc includes many non-standard optimisations and extensions, while the principles of the musl codebase are simplicity, correctness, standards compliance, and security. musl has had only six CVEs to date, while glibc has had over one hundred. This vulnerability is due to a logic error in glibc's implementation, and it would be unlikely the exact same logic error exists in musl. I would be quite surprised if musl's iconv() implementation was affected by this.

@@shrootskyi815musl has had 8, not 6, CVEs. Check MITRE.
How much of musl's CVE track record is due to its limited visibility and exposure? Younger age? Going simply by the number of CVEs is misleading. I recommend examining the fixes made to address this in glibc commit e1135387deded5d73924f6ca20c72a35dc8e1bda and comparing to musl libc's iconv rather than operating off of assumptions.

@@tripplefives1402 Nope. Musl says "The iconv implementation musl is very small and oriented towards being unobtrusive to static link. Its character set/encoding coverage is very strong for its size, but not comprehensive like glibc’s." plus a few more paragraphs with details.

@@shrootskyi815 6 cve's in 13 years : 100 cve's in 37 years is pretty damn good. Glibc is almost 5 times worse even taking into account how much older it is.

For the same reason xz was tried to get attributed to systemd: People, rightly or wrongly, dislike PHP and any reason to attack it is valid.

​@@videocommenter235And despite their attacks, it ain't going anywhere

No kidding, glibc is used by a lot of other languages too. It’s good to point out that php is impacted, but to say it’s a php bug is weird

It's same as eval in exiftool that lead to an rce in gitlab.

Looks like because it is easier to exploit the bug on PHP.

i cant unhear it now! 🤣💀

I had to watch this video with closed captions and no sound. The captions printed Oliv Learning, so it heard that too! 😂

Me too. Before reading comments

00:25 Oliver Earning

It's weird name, tbh

Also utf-8 is not just 8 bits, but 8 to 32.

This, putty... was the apple sidechannel key extraction (gofetch) this month? I'm honestly having trouble keeping up. What have I missed? What have I forgotten that I'll still need to act on (or at least discuss with IT) when I go back in to work?

@Relkond the few I can recall of the top of my head are as follows:
linux (networking code?) giving ring 0 access
xz & liblzma backdoor
poorly escaped strings in windows allowing for "script execution" (shouldnt be a 10.0/10 exploit)
firewall having exploit
putty (as you mentioned)
this
and others I forgotten about

😂

😂

🤣🤣🤣🤣🤣🤣

Lol 😂

I personally don't. With these depth and quality of content he can call himself a talking teapot if he pleases. I'd still watch every single video he releases.

His mother just had a premonition of what he would become

Only if they use glibc’s iconv implementation. There are at least two functional replacements for iconv if I don’t count wholesale alternatives to glibc.

So that's how I find good vulv... 😂😂😂

Go for it!

Yeah, I guess... If you also embed the whole GC just to run that code module. Only Rust could be used to write something that could be embedded without forcing you to run a GC

The reason this is always asked rust and not other memory safe languages is that rust has the right features to replace c, while most others do not.

If you were to rewrite iconv in Rust, no other software would even notice. If you rewrote it in (insert GC language here) a lot of software would have new and interesting performance problems from having GC heaps stuck in them

@@antoniong4380 you have bounds checking in C++. if you write an inline function/macro e.g. array_get_checked(), then you also have bounds checking in C

Most other languages that do bounds checking are garbage collected and not suitable for tasks like this as a result. C++ does not do bounds checking, that's a common misconception. I do know that Ada does however. There's also ATS, although that's a research language. I can't really think of anything else, perhaps D-lang might do it?

I probably don't understand it well enough to explain it but basically a program allocates a very specific amount of bytes for a task, if said task overflows it overwrites memory allocated for something else, even if it's 4 bytes that can do a lot of harm and escalate to arbitrary code execution

Simply put, the compiler doesn't waste memory if it can avoid it. If you have a bunch of variables, it usually puts them right next to each other.
Now imagine that you've got a variable that's supposed to be 20 bytes long. Right after it in memory is another variable - let's say it's the address the code should jump to at the end of the current function. If you write 24 bytes into that first variable, you're really writing 20 bytes into the first variable and 4 bytes into the second. You've just changed where the program jumps to at the end of the function.
Normally that sort of thing would cause a hard-to-debug crash in the best case and memory corruption in the worst. However, if things are arranged just right, you might be able to use something like this to intentionally specify the jump location to something that invokes a shell or otherwise opens the program up to more manipulation.
This sort of thing works because the computer doesn't really understand the concept of a "variable." It just sees memory addresses. It's up to the compiler and the programmer to make sure that the correct memory addresses are used and that you don't write to addresses you aren't supposed to.
Languages like C don't give the compiler enough information to pick up on this sort of thing, so it's up to the programmer to make sure it doesn't happen. They're only concerned with the raw mechanics of what the computer should be doing, so if the programmer wants to copy bytes from one location to another they have to write out exactly how that happens. Programmers make mistakes. Well-written libraries help a lot, but C will happily let you shoot yourself in the foot if you tell it to.
Languages like Rust and Ada require the programmer to provide more information about the intent of the program, so the compiler is able to do more checks to find programmer mistakes. There's a cost though - either in runtime (bounds checking) or loss of flexibility (i.e. sometimes you really do want to shoot yourself in the foot). Good languages offer the programmer usable tools to overcome the loss of flexibility, and bad languages are just a pain to use.
I've never written any Rust or Ada, but from what I hear they're pretty good languages.

4 bytes can easily be a return address...

The operating system gives certain access to memory. When memory is in use, that space is protected from being read and wrote. When you overflow without crashing the program, you are essentially corrupting this entire model.
Often times, this simply leads to data corrupting which usually results in a runtime crash. The way this can be exploited however is somewhat program dependent. If you overflow in just the right place at the right time, you may call a system function or server function with arbitrary arguments. Note that attackers are often smart and patient. They will do this for months and even years to get access to a system and exploit it.

Yeah, this part stuck with me to. Most youtubers casually says "just upgrade you glibc or linux distro" but glibc 2.40 is not released and current LTS distros are don't have a patch for this. Is there an actual viable fix for this?

Yes

Maybe, but only if your application doesn't depend on it.

We don't know yet....

@@autohmae how about if I don't use iconv() at all?

@@ThomPorter74 We do NOT know YET.

@@autohmae ok, I WASN'T sure.

@@ThomPorter74 we got to wait till May 10

Where would you put this? at the top of every php page?

bro you can simply remove the charset for glibc

It's actually about encodings. iconv converts between encodings (i.e., representations of characters in memory). It doesn't have anything to do with what's installed on the system because knowledge about the different encoding schemes is built in to iconv (the glibc implementation of it in this video) directly.

closed source is not different, while you may get paid to fix issues you first have to find it in the first place also resulting into someone abusing it.

@@JustPlayerDE "closed source is not different" - as long as you understand open source does not offer better security, all is good.

​@@momoanddudufinally a reasonable opinion on this lol

The good actors have names that rhyme with "Mia Fan"... 😂

@@momoanddudu Open source does not offer better security inherently, but it offers better transparency. Said transparency is important to finding issues and ensuring they get fixed. It's for this reason that 24 year old bugs like this are few and far between.

We'll know for sure in a month when the talk comes out, but usually this kind of thing is one piece that gets "chained" with other exploits as "part of this complete breakfast." 4 bytes is 32 bits - which can overwrite an instruction pointer, etc

I imagine that in the exploitable PHP context, you can overwrite an important pointer without hitting a stack cookie or similar. Let’s say you overwrite f, and f somehow is php pointer to your own php code. It could also just be a traditional byte overflow where attacker needs to overcome ASLR etc, but the. Exploitation is harder (if nothing else is known). Target being php is also interesting as other interpreters (like JavaScript) has allowed hacks like “Heap Feng Shui” has enabled nuking ASLR from orbit using scripts. So that’s my guess - it’s php related and something in php model makes the exploitation much easier than it normally would be, something in the memory is known to attacker. If that’s not the case, then my second guess is that some variant of Feng Shui attacks makes attacker able to bypass ASLR without much of prior knowledge.

Basically; we have a 4 byte write primitive. And potentially a huge payload attacker controlled in memory. And we we can do thousands of these operations again and again. We don’t know if it is a single 4 byte overwrite or if it in php is multiple. And we don’t know which 4 byte is being overwritten. Many local code execution bugs loops until they win over ASLR… But in theory the entire memory could be filled up by x86 machine code exploit or php exploit code… it would be fun if there an exploit chain that is novel that doesn’t rely much on traditional memory hacks but actually does something with php code to be executed by the interpreter. Once the research is published explaining which memory is overwritten from the php exploit it will be easier making sense of it.

it depends on what's in those four bytes
if it happens to contain a permission flag or be a function pointer (the return address is a likely target if working on the stack), then you can use it to elevate your privileges or run arbitrary code respectively

These types of bugs (memory related ones caused by the language deficiencies) are the biggest problem with software safety, maybe that's why.

@@antagonista8122 I certainly wouldn't mind having strict types and the borrow system in PHP. Would be an insane break with its roots though.

This is actually political, the reason he mentioned it is to stave off the Rustacean vultures from the comments... if you look into it, it won't take long to discover what end of the horseshoe they belong at... (hint: they have "mallocophobia")

its just common question

I think it's just a new meme.

Japan and China not very far from each other 😂

yes

Some of them

Mr LLL is great even if you are old in the game. Much easier to remember an explainer than all the tech news that flies by. Also love to reference LLL and LiveOverflow videos when I’m explaining this quickly/badly. So I know people can spend time to learn at their own pace from someone who explains things clearly.