All PHP Applications are Vulnerable
Vložit
- čas přidán 18. 05. 2024
- In this video I discuss a 24 year old bug in the GNU C Library (tracked as CVE-2024-2961) that can allow a threat actor to get remote code execution on virtually any PHP application that is running on a system with GlibC (pretty much every Linux Operating system and by extension most websites on the internet)
My merch is available at
based.win/
Subscribe to me on Odysee.com
odysee.com/@AlphaNerd:8
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF - Věda a technologie
At this point I'm just going to become Amish, that's the only way to be totally secure
Unfortunately there's also bugs on the farm that need patching. I have to build a roll away nesting box because my chickens discovered their own eggs are tasty
@@MentalOutlaw This is so real dude
@@MentalOutlaw oof
It actually worked out pretty well for C0V1D...
@@MentalOutlaw The chicken wire patch has yet to secure against the fox no-clip exploit.
The good thing is TempleOS is still safe from all these CVEs.
Common divine W
As the Lord intended.
The Lord Jesus Christ Antivirus 2000 has proven to be impenetrable.
Anyone can be safe if they unplug the ethernet cable.
after jesus turned water to wine, he turned software vulnerabilities into history 🙏
Born too late for PHP vulnerabilities, born too early for PHP vulnerabilities, born just in time for PHP vulnerabilities.
>this bug is triggered by international conversion system
Personally I blame other countries for existing
Yeah! Let's get em!
China to be precise in this case
including monarchy?
Shut up
Same.
April 30: Hardware RCE affecting every every single device connected to the internet.
May 1st: IRL RCE that allows you to become God.
Pov you are on TempleOS: 🗿
@@noodlez7101Considering the first neuralink brain implant was installed successfully, there's not much time left until RCE that allows you to literally get a botnet of living people under control.
May 30, Elon musk discovers rce irl and paywalls the sun
June 1st: the singularity begins, but no one notices because they're too busy watching monkey videos on Tik Tok....
Ayyy Perl still on the list!
0.1% we are still under the care of the old and wise monks.
based perl enjoyer
What's more surprising is that ColdFusion still exists. Like PHP, I guess they need scripting languages that even minimum wage, computer illiterate script kiddies can copy and paste spaghetti code for.
czcams.com/video/0jK0ytvjv-E/video.htmlsi=n9BeRV1JsuCrxq0b
What happened in the 80s stayed in the 80s except for Perl.
People like me use PERL
I went into IT wanting a website with 15 so HTML/CSS first, later on I wanted dynamic stuff so PHP it was.
Fast forward to my second job, JavaScript was still something you use precisely on websites and nowhere else, and Python was still a weird mess with shit syntax nobody trusted, I needed something to take one XML as input and shit out another one, never heard of XSLT or XPath, all I knew was PHP and Regex.
PERL came in clutch, I learned enough of it in like 10 minutes and immediately it just werked for me. Never used it outside of that due to my current job not giving us sysadmin to install software but man, in my old job I even got props from the local actual programmers because most of them only did C# and were down the OOP Rabbit Hole to bad to be quickhacking little stuff.
If you want to survive in the rapidly evolving tech landscape outside of FAGMAN you'll be surprised how much legacy shit you will inevitably find, how useful powerful text handling can be and how very much in demand older stuff still is, because all the systems in most bigger companies are a legacy crap festival. If you hate learning a new framework every week, go into finance, banking, aviation or traffic control.
I code in PHP for 20 years now and I cannot remember a time when PHP was NOT vulnerable 🤣
Hey. Does this vulnerability require the PHP code to explicitly convert from one charset to another?
So if a website just expects user input to be in UTF8 , it's safe.
Just don't use mb_convert_encoding function that's enough right?
php for life bro
it's a feature not a bug. Job Security
PHP Numero Uno
If it's a common LAMP vulnerability, then I bet you there's gonna be a no-brain-to-use script to do the hack 1 day after the talk goes live and a crawler 3 hours afterwards scrounging for visibile servers that are not updated and it will find MILLIONS of servers to up-root and there might even be a botnet fight on the servers when one bot de-admins the other in a back-and-forth escalation.
Im hyped
The dead internet is real 😂
Sure hope that updating all these package update I did on all our dockers and vms updated to the new glibc version.
War has become a series of proxy battles fought by AI
Not at all, read the CVE. its a 4 byte overflow, when using iconv with a specific chinese encoding that is NEVER used in the west. Also why would the end user be in control of the encoding format for iconv? Realistically that would never happen, unless the site is a PHP sandbox.
Don't care, still using vulnerable software for my critical operations.
Patches are for cowards
🙃 let me check, give me your ip
Hell yeah
You guys are silly, they're gonna be looking for SECURE data!
No risk no fun
I am so glad I can't do anything about this!
I love to wake up to an email of the french public administration warning me that they are too stupid to practice good opsec and now my social security number, name , email and so on are for sale.
I mean your president is a gay who "married" a man who molested him as a child so no wonder
I work in french medical sector and most of it relies on outdated and insecure technologies from around 2000s :)
why didnt I get one
I clicked on the link in that email to "read the best practices to protect myself". You have to select which case applies to you but "absolute incompétence from the administration" isn't an option.
Didn't this also happen to Guatemala or something? Scary
Can we not have big software vulnerabilities... for 5 damn minutes?!
Gotta stop writing code then
no
Welcome to the singularity...
I'll go add some unsafe eval() queries to my python code rq.
just for you :)
Welcome to our job; we all make code vulnerable. We just don't know when or with what language, but it could certainly be any of them.
Alpine is commonly used in production, most shops using container based deployments that I've seen use it, most of those using k8s. It's also the default base image for Phoenix/Elixir apps.
can confirm - using it in containers on prod for years
And the default base Docker image of Gitea instances.
I've been doing this for 4 or 5 years at least now
Except with solved DNS issues (ndots), alpine is very good. Widely used in production
Questioning the open-source model because bugs are actually being found is odd to me... That is the additional public scrutiny doing exactly what it's supposed to do. You know if these bugs weren't found, they'd still be there... You wanna find out the hard way, or do you wanna find out during "security month" as a part of a semi-collaborative effort to make shit better?
Even if you are to take FOSS CVEs as indicating a problem, we just had a windows issue like 2 weeks ago and instead of MS fixing it, the programming languages had to add workarounds to avoid triggering it, which tells you all you need to know
seriously, this is the entire point of open source software and why it's so important for community involvement in software development. When it comes to Apple/MS your system gets hacked and you'll never know or know why.
Is like that movie where a kid deciphers some kind of goverment code and instead of making a better encoding algorithm they try to kill the child haha
Alpine Linux is used in production a lot more than you'd think. You wouldn't run a server on it, but the small size makes it great for init / sidecar containers in a kubernetes workload, for instance.
How asinine and embarrassing 🤣
You are born to deploy kubernetess clusters. Lol
@@vito2320 It's the sysadmin equivalent of living in the pod and eating the bugs, you hate to see it.
Awwww :/ alpine is great for this stuff lol
What's good about it is that it's open source. When issues arise, we address them. It's completely open-something you can't rely on in proprietary modes. You don't even know if their software is vulnerable or not. Even when they update, you don't know what they're actually updating. #windows.
Windows isn’t actually vulnerable to this bug lmao
Boy oh boy if only the entire web was rewritten in rust am i right sisters?
😂
With the runtime which calls this glibc function?
The escape sequences you talk about around 4:09 are not for indicating that the computer should convert to this character set, it's actually that the character set is constructed out of multiple swappable sub-charsets (called "planes") and the escape sequences are used to indicate that at that point in the text, the encoding is jumping from the current plane to a different one. See the wikipedia article on "ISO/IEC_2022", subsection "Other 7-bit versions", for more info.
nerd
Best functional backdrop I have seen on youtube
Blue teams everywhere having a really shitty month.
Red teams everywhere are about to have a field day
@@rideroftheforce5245 what does this mean
@@alonsoACR I was just saying that red team pen testers are going to have a lot of successful attacks on their clients in the near future with this vulnerability
Oh boy, I thought for sure this would be a headache for me.
Luckily our code is too spaghetti to handle multiple character sets.
Oh boy, update time again
Rewrite Wordpress in Rust
Lol well that would save me from the difficult journey of rewriting my eCommerce site in Rust.
@@MentalOutlaw We need to fork rust to make the compiler punch devs into the balls every time they make a mistake, so that way they won't code any bugs even when writing in other languages (they most likely won't code at all tho)
I will do that if you promise to port 30% of plugins
@@_________________404 Lemme tell you something, almost every compiled programming language uses LLVM as it's backend mostly because it's good and let's you bind your code with other programming languages that use LLVM too. Rust has a compiler, but a frontend which checks your code, LLVM does the dirty work. It's not even about rust, I don't know why would you even comment that it's just stupid.
@@_________________404 What's so good do you find about C++ compared to rust tho? Have you ever tried them or you just made up your opinion from some CZcams video and now yelling it everywhere?
IMAGINE HOW MAY WP SITE HAD BEEN BACKDOORED INT HE LAST 24 YEARS
Trust me, WordPress sites didn't need this bug to be considered insecure. WordPress has consistently been a security nightmare.
They deserve it for using WP.
Imagine how many will be after the talk.
You can't expect them to UPDATE their servers? I mean that entails actually hiring a tech to do it! Expensive stuff.
@@iiisaac1312 Wordpress bro here, I enjoy my lambo, don't mad.
@@SGresponse 70% of the web is build on Php….this a total car crash
LAMP has been somewhat vulnerable in one way or another for quite a while now.
I don't get why anybody would use php in 2024, go is a much better alternative for the backend, for frontend just use svelte.
Each time a PHP CVE drops PHP-chan appears in my feed.
More vulnerabilities this month very fun
Can't wait until I get confirmation that my house has massive vulnerabilities and there's people living in my walla
Your thumbnails bring joy to my heart Mental Outlaw😂!
I installed a fixed version of glibc for Debian buster for our website host right away 😄 Thanks
Thanks Jason Tatum
Counter argument: All applications are vulnerable.
Software security keeps honest people away, it ain't gonna last forever against skilled/dedicated hackers.
No, theoretically, software can be impenetrable
@@Deniil2000but is in practicallity nearly impossible
Doubt on would perfectly set everything up down to binary code and Electric components
And even so, all it takes is a rare case of the suns radiation conviently changing that one 1/0 to mess it all up
"Much quicker" 24 years later... good one!
did you miss the rest of the video?
unless my reading comprehension is poor (a possibility) I believe this was discovered 24 years ago and only found to be truly exploitable 24 years later.
@@SerenadeURA that's exactly it
@@anon8510 So your conclusion is he didn't get to the point quick enough? Attention is a rare commodity these days.
@@anon8510 Also good non-committal username. Choose better.
2024 is the year of the security vulnerabilities
114/366 year is unlocked
Year of obscure vulnerabilities. Like who converts characters from UCS4 to ISO-2022-CN-EXT or haves unstable packages in production or allowing everybody running CLI commands remotely
I just wanna know who hooked ChatGPT up to metasploit and told it to go ham.
Web servers should just be able to say no, I only support utf8/utf16 and get rid of all the character set conversion nonsense server side, but the webservers are accommodating to what the browser asks for even if it far from appropriate for the site's content.
I remember when there was a bug that had existed in the sudo framework that had existed for quite some time. Not as long as this bug, but still there for years.
Hot bug summer
I read the title and my reaction was: "Well of course they are, this is PHP"
New kenny upload!!🎉
✨You are our favourite/based/red pilled honey pot chanel ✨😝
Alpine is standard like min linux distro for docker and k8s?
Moon runes? Of course.
-Gandalf
PHP perl was some of the first script used for phishing attacks. Good to see it's still knocking at system doors
I could be wrong but cursory Google searching shows that andres freund works for Microsoft and posgresql, meaning he contributes to open source but works under proprietary software leadershit?
Great video brother!
It would be nice to know if it is possible to mitigate the problem at the PHP level when you don't control the underlying server and cannot update the linux. Yet everyone seems to be talking about this Critical CVE which ramps up the stress, but there doesn't seem to be a clear path for mitigation.
Oh boy am I glad to be running alpine in docker 😮
Gentoo can optionally be set up with musl instead of glibc. Not sure how often this is done in practice however. I did my first Gentoo install only a few months ago.
What if your running the WP docker container, would i need to wait for an updated docker image from the developers so that the glibc that the docker image is using gets updated?
alpine is used often in prod, it's a lightweight base image for docker
When a malware comes up that can break out of a virtual machine sandbox, then we're in for trouble!😊
It's happened before (for example, the time they exploited gpu passthroughs to get into the host's graphics driver)
Spectre, rowhammer.
Medicaaaatiiiooonss 😂😂😂😂😂😂😂
I can still remember the conversation with my boss about Spectre. We immediately went to management on our DoD contract and got their cloud plans scuttled punctuated by "We told you so!"
They already can detect if they run in a vm or not.
Your videos are so interesting
That anime thumbnail caught my eye. I thought this was going to be a vtuber's video.
CIA NSA losing all their toys, they must have pissed someone off.
They are probably using ai to discover new toys as we speak
@@tavanogrim no wonders, that could happen
Probably not. These kinds of things have to happen or no one would believe the open source process is working.
They're leaking all of this themselves. Conditioning people to accept Rust as a "safe and secure" Messiah. Then it'll be even easier to slide in backdoors when no one's looking.
like its not (((them))) """discovering""" all these vulnerabilities
Actually paused the video and updated, though unattended-upgrades already took care of it. If youre using Ubuntu 22 then libc6 2.35-0ubuntu3.7 (check with ldd --version) is fixed despite being "under" 2.39.
Same thing happened on based.win backend, confirmed it this weekend when I saw the open wall post
@@MentalOutlaw Yeah might be a good video, ensuring security updates are on auto. Also, I'm kind of embarrassed how much I use LAMP but man its so fast to deploy
Okay I'm new to all this (been coding with a goal to get gud for about a year or two), is this many RCE executions in such a short amount of time this common? (the xz one, this php one, that one discovered in rust, etc)
This is the pinnacle of PIKE MATCHBOX
Cant wait for the first ever 11/10 to be announced for the first time and its that someone found a way to just take over the universe because someone's toaster had an exposed copper cable into the matrix
he never sleeps, only edits
2:08 alpine is not used in production? it's one of the most used distros used for docker containers
Perhaps that’s what he meant? Maybe he means the hosting servers not containers
Quack it, I'm writing my own kernel, my own libc, my own drivers and my own damn programs.
Write your own vulnerabilities. Take charge! Nice.
Okay but how are you going to produce your own hardware?
_"Little Bobby Tables"_
-XKCD
Damn this year is wild
I had to check if there was any new information on the bug, but no. So far we don't actually know if it affects all php applications, where did you get that from? The post you cited even said it's application specific.
Joke's on you, I'm forced to write my PHP on a Windows stack using IIS.
Is it a WIMP stack? :D
Yikes
Neat, I always wanted to know if they had internet access in hell, thanks for confirming.
what serious crime did you commit?
There are easier ways to tell us you're employed by psychopaths.
glibc version checker (Older than 2.39 are vulnerable)
#include
#include
int main (void) { puts (gnu_get_libc_version ()); return 0; }
Save as test.c
Run: gcc test.c -o test
./test
for the record, php on windows runs very well. Perform well too.
it is still more common to run on Linux, not because php does not work on windows, but less portable user apps. But most framework and as long as conventions are respected, zero issues.
7:15
To be fair, the xz backdoor wouldn’t be discovered in windows for a long time, but it would probably wouldn’t be introduced from the first place.
Thanks bro
as a fix, in case .40 is not available. One can disable these encodings as well. Still best to update glibc if possible.
Also, wtf with the Italian bots lmao
Many vulnerabilities being discovered lately is a good thing, because they are being seen, they are being fixed, and best of all you as the common user can know all of this.
Proprietary software? Unless the people there do a press release, you won't know a damn thing. And there is a chance that there are less eyes to discover weird activities in the code too.
What is this Affordable Connectivity Program (ACP) I keep hearing about?
what makes you say virtually any PHP application? From what i can tell an application needs to take untrusted user input in the iconv function.
thank you jayson tatum
Mental Outlaw, put some posters up, it'll make your space more cozy!
What a surprise
We were discussing pentest with one company on our system and some part of your system was still in PHP. I remember them saying - "We don't pentest PHP because it's insecure by default. Get rid of it first" 😂
yeah, sure ... what is not secure about php? is really weird that most of todays servers are powered by php, and WP on top of php, yet they do not get hacked left and right
@@GhiveciuMarian ...mOsT sErVeRs PoWeRed By pHp... 🥴
Having higher quantity of crap WP deployments doesn't mean that it's used more to serve actual http traffic.
We really need to rewrite that old gnu crap to rust with enhanced security
What other software us using iconv() and could potentially be affected?
also open source is more likely to have bugs found because people can analyse the code looking for vulnerabilities
started the video watched half-way through, updated and rebooted all servers at 3am there we go
not even billable hours :(
It's been like 10-15 years since last time I heard someone mention LAMP until today.
So am I in the clear if I have a fresh install of linux mint with no extra apps other than discord and steam, I’m new to this shindig.
is it suspected that a PHP vulnerability is why nemesis market was busted
Is the fix for this flagged as critical or whatever needed for it to be automatically installed by unanttended upgrades?
The known bugs is a SOP. Software is released with a list of known issues, that is developed as more people provide feedback.
Teams will ensure any critical issues are fixed, but non-critical issues - especially ones that have workarounds, are often released.
Oh we will, Grafana exploit just landed..it's a fun month...
Chinese characters? Again? I thought we already solved this problem with wchar and other wide character types
Php didn't catch up
We fixed it with UTF-8 being the de facto web encoding. But… legacy stuff.
I don't know much about Alpine Linux, but don't most Dockerfiles basically emulate it for their containers, by default?
Should I be concerned about the fact that CZcams app on my TV has suddenly changed to the Chinese character set?
What is thr earliest affected version? The first public release?
It requires a lot of specific requirements. how is this actaully makes all php apps vulnurable? the bug effects afaik one function and if the function is used in an unsanitized way to handle user inputs. so if you don't use that one, then you actually don't have any problems?
I started my dev life as LAMP stack dev. Still returning to LAMP for small gigs every now and then
Maybe... just maybe that is the way nemesis market got seized?
I think it will be a great content if you show a way to encrypt ur harddrive so even people who has physical acces to it can’t find the recovery keys to decrypt
> GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set
First time hearing about ISO-2022-CN-EXT. This means chinease servers. Good.
Not just Chinese servers. HTTP clients request the character encoding.
Interesting that the ISO-2022-CN-EXT character set is mainly used for traditional Chinese eg Taiwan
7:30 one could notice it with low level system wide debugging but it would be likely only if someone was reverse engineering.
First time on your page and bro you look like Jayson tatum
nice acoustics >.>