Local Root Exploit in HospitalRun Software
Рет қаралды 68,027
Күн бұрынLet's talk about a "security flaw in hospital software that allows full access to medical devices". This issue was disclosed on LinkedIn and included a full exploit code. Let's use this app as an example on how to find a macOS privilege escalation and learn how local root exploits can work.
Print BINGO sheet: / 1682650394227351552
Sources:
Original LinkedIn Post: web.archive.org/web/202304240...
The Exploit code: 0day.today/exploit/38531
"The project has been deprecated for 2 years. Version 1.0.0-beta has been an EOL for at least 5 years" - developer statement: / 1650059269939552256
My references finding priv esc issues in macOS apps:
github.com/cure53/Publication...
github.com/cure53/Publication...
github.com/cure53/Publication...
github.com/cure53/Publication...
Help me pay for any legal trouble in case somebody wants to sue me (advertisement): shop.liveoverflow.com/
Chapters:
00:00 - Intro: Practice Research with Existing Issues
01:45 - HospitalRun Functionality
03:07 - What is a Local Root Exploit?
05:49 - Typical macOS Priviledge Escalation Issues
09:23 - Looking for Priviledged Helper in HospitalRun
10:10 - My Experience in finding Local Root Exploits on macOS
11:46 - Threat Modeling and Common Deployments
13:11 - Was this an April Fools Joke?
14:18 - Analysing and Cleaning Up The Exploit Code
17:51 - Reading Comments on LinkedIn
19:29 - BINGO!
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
2nd Channel: / liveunderflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Streaming: twitch.tvLiveOverflow/
→ TikTok: / liveoverflow_
→ Instagram: / liveoverflow
→ Blog: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
@kinshukdua Жыл бұрын
When the author's comment said- "[This exploit] can change your blood group". I honestly believed this was an April Fool's joke for a second...
@user-qm4ev6jb7d 11 ай бұрын
Will melt your face right off your skull, And make your iPod only play Jethro Tull, And tell you knock-knock jokes while you're trying to sleep, And make you physically attracted to sheep, Steal your identity and your credit card, Buy you a warehouse full of pink leotards, Then cause a major rift in time and space, And leave a bunch of Twinkie wrappers all over the place! - “Virus Alert” by Weird Al Yankovic
@tercmd Жыл бұрын
The "it's not an April Fools joke" to "it is" to "it is not" was too good 😂
@ismiregalichkochdasjetztso3232 Жыл бұрын
The sad thing here is that this isn't a joke. It's just Jean Pereira being an infosec fraud.
@paroryx2805 Жыл бұрын
liveoverflow just made this so exciting!
@Kekejdjkdkdkid83i3k48oe 3 ай бұрын
He made a video about him on LiveUnderflow (in german)
@BWAC Жыл бұрын
As someone who installed critical infrastructure around the health care sector for a while here my heart was racing.
@BWAC 11 ай бұрын
@@JohannaMueller57 Every request i've forwarded to health care equipment has fallen on deaf ears. Somehow these companies who charge a mint for products have no intentions of fixing life saving equipment running with admin/admin over http, then advocating for it to be put on a corporate WAN. As for leaving it's not some "if people start leaving they will fix problems" - It's more they'll replace you with people who don't know or don't care. The people who make products and install them are rarely the same company. Sad truth, but hey.
@leumasme Жыл бұрын
Thank you for rekindling my disgust towards the LinkedIn community
@scifino1 11 ай бұрын
"On Mac, like many other Linux-distros, ..." LMAO
@Pokedollar Жыл бұрын
Ive seen Jean Pereira too many times on my linkedin feed and I just have to cringe every single time. I also love how he claims that he has learned everything himself and that he doesnt need any cybersecurity education 😂
@wojtek8395 Жыл бұрын
Thank you for your videos and hard work! Your channel covers a lot of technical details and professional knowledge that is really hard to find on the internet (in the approachable way) and which I deeply enjoy!
@milomoisson Жыл бұрын
The mic drop at 11:40 is amazing
@TheMAZZTer Жыл бұрын
Raymond Chen of Microsoft does an irregular blog series called "The other side of the airtight hatchway" meaning that a "security vulnerability" reported would be great if it could actually get you to the other side of the hatch (root/admin). I think in this case using sudo to run an app as root that isn't designed for that counts, since you have to already enter your credentials for sudo. And if you do that, you could just use sudo to run a malicious app directly, no need for hospital run at all.
@hyronharrison8127 Жыл бұрын
Imagine my vuln writeup: You have to beg them to misuse the application but THEN...
@codahighland Жыл бұрын
@@hyronharrison8127 To be fair, that's the most common way it's done. We call it "social engineering." A lot of applications will actually refuse to run if they detect escalated privileges specifically to protect users from their own misguided misuse.
@beeble2003 11 ай бұрын
That's all very well, but there are a lot of cases where people do run apps as root, even though they shouldn't, because it's "easier". And in a case like this one, it's a problem to have even a privilege escalation to whatever user the software is run as. If I can become that user, I can modify patient data, even if I can't take over the machine.
@labsupri6681 Жыл бұрын
So was the original guy just spreading misinformation?
@BastiSenf 9 ай бұрын
@@UC1kVaZyvOs39Y it's been two month from your comment, but you hopefully see this. I know people that want to make business with that guy. Can you give me some more detailled information why to not make business with him? appreciate it
@andrekz9138 Жыл бұрын
Even in a situation like this, I find you inspirational. Thanks for your videos and content
@michidk Жыл бұрын
So if I understood it correctly, that guy executed that program as root, then used root access to patch his custom code into the executable which opens up a TCP server. Using netcat he then connected to that server as user and executed privileged commands? This would work in every application which uses a non-compiled JIT language... Basically a really weird flex, probably to get some followers and sell his software?
@DFsdf3443d Жыл бұрын
not just JIT programs, it literally works on every single executable (its just a bit more complicated to patch binary code into a compiled program but you can still do it) basically this guy just claimed "sudo" was a privilege escalation technique lmao
@maratmkhitaryan9723 Жыл бұрын
liveoverflow also said that there are no privileged processes 11:03
@lbgstzockt8493 10 ай бұрын
He isn't wrong lol@@DFsdf3443d
@DanelonNicolas Жыл бұрын
Awesome journey! I literately feel it like a real research! Love the video, thanks!
@pengrey Жыл бұрын
The bingo middle finger got me ngl.
@fabiorj2008 Жыл бұрын
Bingo. Thanks for the video. Its amazing explain a lot about some hype that coming and go in cyber security.
@chrisconnell2763 9 ай бұрын
Dude, changing a physical file is considered a vuln or even a 0-day? WTF. Yeah, but the vid you did on leeroy getting kinda fooled by JP made it a bit clearer to me. Big UP and many thanks for this enlightenment!
@LiEnby 2 ай бұрын
Maybe?? If thr electron binary was run as root but the asar file was world writable itd make sense. But its not ...
@cannedwither8494 Жыл бұрын
First Name: Live Last Name: Overflow Reason for visit: Brain too big. Hahahahahaha nice
@ElliotGuy-tp4si Жыл бұрын
0daytoday is an ExploitDB clone and the admin tricks people into buying fake exploits. All of the user accounts are the same person, there are videos about this. Great video LO! Just wanted to warn people of this...
@VolkerBaier Жыл бұрын
Einfach nur danke für dieses Video!!
@rooot_ Жыл бұрын
4:07 "Now on mac, like many other linux distros," hmmm
@ET_AYY_LMAO 11 ай бұрын
> Replace executable with your own modified one. > Run as root. > Profit 1000 linkedin karma from reactionary dimwits.
@konfushon Жыл бұрын
Wait what...that was a great suspense 😂
@PatrickHener Жыл бұрын
Really good Video.
@Odlabu_22 Жыл бұрын
Truly an informative, comprehensive and entertaining video + Bingo. One of my favorites, thanks for the great effort. Congratulations pal!
@MiteBlueRuby Жыл бұрын
and that is why specifying d/m/y or m/d/y is important
@Z3rgatul Жыл бұрын
after working for US customer for 10+ years every time i see date like 06-04-2023 my brain refuses to accept such date format I just assume it can be both if I need to record a date somewhere I use 2023-06-04
@RetoonHD Жыл бұрын
@@Z3rgatul that's totally, fine, either go big to small or small to big. But m/d/y is ludicrous, same goes for most imperial measurements.
@AquilaSornoAranion Жыл бұрын
Always yyyy-mm-dd
@berndeckenfels Жыл бұрын
No matter how you write that date it was not April 1st
@Dvd-Znf Жыл бұрын
What>??? Was the original post a joke or not? I am a bit confused by the end bit... excerpt: "This code, was not prepared ahead of april fools day? Bingo! You know what else was not an april fools joke but looks like one? [...]" Very clever video
@alvirus594 Жыл бұрын
the original post was meant seriously, hence why liveOverflow was blocked, but the exploit shown came from malpractice from the guy that presented the exploit on the 0day site.
@BrotWurst 9 ай бұрын
i really like how you've said in the beginning of the video "last time i sadly couldnt find a vulnerability. but this time i do a challenge so we can definitely find one!" and there's still not a real issue :D but still very informative bro! keep it up hacker boy! liebe grüße.
@BrotWurst 9 ай бұрын
hätte gleich deutsch schreiben können merke ich gerade ahha
@EuphoricPentagram Жыл бұрын
11:46 so Privilege Escalation is more of a Privilege Declaration, on to or via a root daemon. It's not user becoming root, it’s user communicating through an already root system.
@user-qm4ev6jb7d 11 ай бұрын
In a real attack, it could be a program, not a human user. So it's a virus that gets onto the target machine in a non-root way (like in a mail attachment), and then "escalates" itself by forcing the root daemon to... for example, install the command "run this virus as root" into the system's task scheduler, so that it's launched on every system restart.
@davidifebueme459 11 ай бұрын
The mic drop at 11:44 😂😂
@TNothingFree Жыл бұрын
These kind of open sources may be used in testing environments in companies. The most useful thing is to use them as 3rd party vendors for integration testing purposes. So it may be not viable for production but students and testing teams may find it useful.
@mcool4151 Жыл бұрын
Great one!🤣
@maixicek Жыл бұрын
Watching this after movie Babylon so finally I get some drama genre 🙂
@anuzravat Жыл бұрын
Ayi Sabashhh
@ChakaHamilton Жыл бұрын
I hope in the future you make more hardware hacking vids
@TheInspctrcat 11 ай бұрын
Why doesn't Michael Cera act in films? Passionate about hacking apps. Actually just found your channel, very cool content.
@gokupwn Жыл бұрын
😂😂😂 Love youuu
@z-root8955 Жыл бұрын
😂😂 great video as always
@notthere83 10 ай бұрын
I know very little about security, stumbled across this randomly. But it seems strange to me that entering the password for a regular user is sufficient to install a root daemon. Shouldn't anything that runs as root require entering the root password?
@itech7354 Жыл бұрын
Please make one amazing hacking video playlists ❤❤❤
@olekbeluga314 Жыл бұрын
lol @ broadcasthost, love that [3:44]
@dylan8736 Жыл бұрын
You really look like Christopher Slater as Mr. Robot.
@hanskohl293 11 ай бұрын
I'm just a comment for the algorithm.
@rootsudosu 11 ай бұрын
i found you with the Minecraft stuff on your channel, is there any new minecraft stuff upcomming ?
@AvinashKumar-fe8xb Жыл бұрын
lol lol lol, loved it
@kipchickensout 9 ай бұрын
Bingo!
@sand3epyadav 11 ай бұрын
Tq
@nosystemissaf3 Жыл бұрын
its the best joke to know i laughed very hard in a while
@user-tr8fu4kw1l Ай бұрын
it was nice Broooooo
@jonathan-._.- Жыл бұрын
🤔 ive seen some apps that check at the start if they are run as root and then stop execution
@chri-k 11 ай бұрын
that’s done by software which by design allows arbitrary code to be executed ( package managers, for example )
@hikkamorii 10 ай бұрын
@@chri-k I think they meant other way around. For example, when you install steam on linux, and try to run it as root, it will immediately exit with an error message like "It's not safe to run steam as root, don't do that"
@chri-k 10 ай бұрын
@@hikkamorii yes, because steam also allows arbitrary code to be executed on your computer.
@Finnel12 Жыл бұрын
I am confusion
@ameeratcyber7108 11 ай бұрын
so cool xD
@UntrackedEndorphins Жыл бұрын
Grifter gets called out: a video presentation
@tg7943 11 ай бұрын
Push!
@rosyidharyadi7871 Жыл бұрын
this is hilarious
@tejaskumar9057 8 ай бұрын
ngl he had us in the first 20 mins :D
@6little6fang6 Жыл бұрын
brilliant piece of media
@a.for.arun_ 11 ай бұрын
The twist. Lmao hahahaha
@SuperNeon4ik Жыл бұрын
You forgot the end cards :P
@skylo706 9 ай бұрын
Maybe I'm just stupid but why can the vpn install a certain part that runs with root privileges? You only entered your non root user password it seemed. Doesnt that mean we could just write our own installer that asks for user password but puts malicioua code under a root level part?
@LiveOverflow 9 ай бұрын
what you think is the "non root user password", gives the root permissions. Ever used Linux with sudo? When your user belongs to the sudo group you also enter YOUR user's password to execute a command as root.
@user-vj6lr6cd8n Жыл бұрын
the hacker news bdarija
@Almostbakerzero Жыл бұрын
i think it would be fine to call out the fact that this person is obv. attempting to bullshit others. its not a nice thing to do.
@stellabckw2033 11 ай бұрын
why tho
@prodigysonhiddenforareason1239 Жыл бұрын
I don't understand, are we expecting a sequel ?
@alvirus594 Жыл бұрын
the guy that posted the exploit used malpractice and ran the program as root to make it seem like he had a crazy exploit, but its just that: malpractice and a joke at best
@taoufikmourtadi909 11 ай бұрын
What is the name of this phenomenal 😅
@AlphactoryAT 3 ай бұрын
I just got a linkedin request from this guy??????? like, what?
@KebabTM Жыл бұрын
July Fools
@walturowhite69 Жыл бұрын
Within 1 hour gang!! So excited to see the video past 3:56!!
@Zappexe Жыл бұрын
Brain too small LMAO
@N1ckdgr8 Жыл бұрын
Broo......App sec video or a Christopher Nolan movie ????
@Originalimoc Жыл бұрын
Android does it right, 3rd party VPN need no root.
@sulochanakharat9033 Жыл бұрын
was it a joke or not ?
@GermanLc 11 ай бұрын
what
@zvanmilisavljevic8879 Жыл бұрын
Hey, i found the liveoverflow smp! And i made a mod for it!
@netrunner1145 11 ай бұрын
After your video, he removes the post on linkedin lel
@BourbonCrow. 11 ай бұрын
If comic sans made it to the front of goverment buildingfs and coins and stuff i bet your font can get far as well! haha and no nothing is worse then comic sans
@stanislavsmetanin1307 Жыл бұрын
🤪
@pitust Жыл бұрын
It seems that on macOS, you don't need root to make a VPN (for example, tailscale doesn't include a root daemon)
@dsharpbb09 Жыл бұрын
This video isn’t funny the first time through. But it is the second time.
@KochamShotowac Жыл бұрын
Morawiecki na miniaturce
@0x42NaN Жыл бұрын
lol?
@berndeckenfels Жыл бұрын
I don’t get the Joke
@penewoldahh Жыл бұрын
YOU'RE HACKING HOSPITALS?? Jk
@flrn84791 Ай бұрын
zero day exploit 😂
@foobars3816 11 ай бұрын
9:24 "how [] can look like" -> downvote
@piecaruso97 Жыл бұрын
"on mac like any other linux distro" man have you forgotten that modern macos is based on the xnu kernel?
@khill8645 Жыл бұрын
It seems perfectly cromulent, I don't think any of us have figured out a way to pronounce '*nix' yet
@piecaruso97 Жыл бұрын
@@khill8645 well the xnu kernel is basically the mach kernel from Carnegie Mellon university, a BSD subsystem and a lot of custom code added to o it, so it's not related to unix in the strictest sense, however that BSD part was made by actually replacing every source file from the og unix source code release with reimplementations made by the Berkeley University developers that originally made BSD, so it's a compatible program, but it's not actually unix and of course it's not really the base of the xnu kernel, but a subsystem that it's used to provvide an interface for programs to run on and to have compatibility with existing unix/bsd software. So xnu it's actually it's own very wired beast.
@tanguysnoeck3166 Жыл бұрын
🤓
@khill8645 Жыл бұрын
@@piecaruso97 It isn't about 'custom code' or whatever, it's just about POSIX compliance.
@chri-k 11 ай бұрын
that was fully intentional
@myname-mz3lo Жыл бұрын
the software shouldnt allow the user to run it as root. making it a software issue not a user issue .
@cjbprime Жыл бұрын
There isn't a vulnerability (that we know about) even if you install and run it as root. You would then need to be root to be able to rewrite the ASAR. "Elevating privileges" from root to root doesn't gain you anything.
@mapleint997 11 ай бұрын
I'm american, have never seen yyyy/dd/mm, we're notorious for going month then day.
@alexanderdell2623 Жыл бұрын
Hi, please note that 0daydottoday is SCAM, please dont do advertisements for them cause naive ppl still get caught by their “5k for instagram takeover exploit”
@chri-k 11 ай бұрын
what’s that?
Low Level Learning
Рет қаралды 1,3 МЛН