Comments by "Mikko Rantalainen" (@MikkoRantalainen) on "They Let the Intern Code..." video.

  1. I maintain multiple servers and my go-to rule with even throwaway shell scripts is that all input must be considered unsafe. Always encode data as data regardless of the programming language you use and all injection attacks immediately vanish everywhere.
    5
  2. Since the bug is inside image stored in squashfs, you would need to first fix in the firmware image, then somehow get the firmware checksums to match to get the hardware to install the firmware and then it would be fixed. Squashfs is a read only filesystem started from an image delivered via firmware image. Doing permanent changes to that is far from simple.
    5
  3.  @BillAnt  I would argue that China is perfectly capable in producing high quality software and hardware. However, when work is outsourced to China, it's not made to increase quality but reduce costs. So the order from China is "make it as cheap as possible and then some" instead of "please, make high quality software". Apple outsources iPhone manufacturing to China, too. Most people seem to think that being quite high quality product.
    4
  4. And even in countries with consumer protection laws, the manufacturer can get away with EULA saying that the software is delivered as-is. Consumer protection laws are often written in style that covers only manufacturing issues, not design issues, unfortunately.
    2
  5.  @mikaay4269  Sure but most non-developers fail to understand why the software as-is is not acceptable if the software cannot be easily replaced by the end user. I wish EU had consumer protection laws saying that if the software comes pre-installed in hardware, it must be covered by the warranty of said hardware.
    2
  6.  @nomore6167  The difference is that string handling is easy in PHP. It takes next to no time to verify all user input against expected syntax regex (e.g. preg_match("#^[A-Za-z0-9]+\$#", $name)) to verify that the user input for name contains only upper and lovercase letters or decimal digits). However, when you then try to make similar stuff in plain old C, even checking the length of user input given as string is an adventure itself: do you have the length of input somewhere or do you assume that it's safe to scan for next null byte and stop there?
    1
  7. Around year 1995 the CGI was literally command line executables forked and executed by the web server with stdin and stdout connected to the browser. And fork per incoming request! I guess the D-Link software quality has improved about zero since year 1995.
    1
  8.  @nomore6167  I agree. This serious security vulnerability has been in the product since day 1 and it would have been found earlier if somebody had ever bothered to do the same task that this video describes.
    1
  9. 11:08 I would argue that sprintf() may be actually safe here as long as there's nothing in the stack after the memory address they are running sprintf() output into. This is because OS takes care of extending the stack or killing the process if sprintf() tried to write too much output so there's no buffer overflow vulnerability for that part. Of course, passing the output to system() is definitely not okay. Zero error checking is also worth nothing here. Even without vulnerabilities, if e.g. adduser failed for any reason, this piece of crap would immediately proceed to blindly execute additional commands as root.
    1