TLDW: NVMe Raid on TR Works fine, but why does it install two network accessible web servers running as the SYSTEM user??
Wow, this makes me even happier that I didn’t bother with setting up RAID in the UEFI and just used standard Linux software RAID.
If you’re going to be running Linux and aren’t interested in booting Windows off of the RAID array that still seems like the best choice to me.
Full XAMPP stack running a PHP-based web interface that executes operating system commands as a privileged user?
Oh my…
I mean, what could possibly go wrong? If it compiles, ship it.
I don’t even know where to start…php? outdated php? And why would you need a web server at all for a driver? I just…ugh.
Oke my knowledge of that stuff is limited but even i was like web based, PHP for setting up raid WAIT WUT??? the login screen was enough to make me LOL.
To me it sounds like someone wanted to make a GUI for remote access… Why else would you go web based.
What’s the best thing to write in for something like that? C++? i am just curious.
@wendell you’re REALLY understating things by describing this as “not all that terrible”
** every ** single ** revelation ** was just worse and worse.
kek? 
it’s windows though I mean how bad can it be? Also just disable the service and do it from the cli.
While I didn’t understand everything fully and sure as heck couldn’t sit down and do what you did I liked the video. I get the main purpose of it. I enjoy watching your content but it is unfortunate that when I come on back to the forums certain people have to set things on fire.
sure, just about any software is “safe”… once you turn it off. 
I don’t think this front end is new, quite certain I’ve seen this raid software before on AMD hardware.
This setup would make sense if the design intent were remote monitoring and configuration.
Should have been more scrutinized by AMD before release. The software is at least well known and modifiable without considerable reverse engineering.
Good video but i would have liked to have seen a full and proper 30 day disclosure of most of the security risks
I cringe at pfSense having a PHP based UI that most people leave accessible from internal network and never use the logout option on, but a Windows airquotes driver /airquotes, they could’ve built an electron app to manage stuff just as easily.
Lol at @wendell grepping in the CMD prompt 
You could install bash for windows, but then you’d have an open SSH port all the time damn!
Interesting video. Good set of techniques that shouldn’t be beyond anyone to check out what is happening on their computer. Is it fair to say NVME RAID on Threadripper is still in beta and they haven’t put the full QA into the drivers?
I usually get a bit suspect when programs install a webserver, operates via a webpage, and then act like it is normal… There is a time and place for this sort of thing. In a jail.
@wendell how long since you’ve let your AMD peeps know?
Otherwise I must concede that you’ve possibly goofed it a bit. But not in a bad way.
In all honesty it’s not as serious of an issue as some might think since threadripper NVMe isn’t all that widespread. I would expect that most people setting it up would be tech savvy enough to notice the apache + xampp listening on 0.0.0.0
The XAMPP version 1.8.0 is also REALLY REALLY old. It’s like they shipped it with whatever random version a Johnny developer had left in his downloads folder.
Among a number of issues it has a neat WriteIntoLocalDisk method.
https://www.exploit-db.com/exploits/28654/
But now since it’s running as a system level privileged user. Guess what that does… We can probably make xampp run an executable.
That said however. This is one goofed utility. Your assessment is pretty much correct albeit understated in the most British of ways. 
@wendell Good video, I like the short format dealing with one problem at the time, this format of info sharing could keep less tech-savy people ,like me, out of trouble when attempting something new. (never done any serious raid stuff)
As far as AMD goes, maybe they assumed that people on threadripper, doing a raid array would know that they needed to kill the xamp and php process afterwards
Emailed board partners about it over 45 days ago. “We will pass it along”. Emailed @amd contacts twice, no reply, oldest of which more than a month ago…
ASrock provided the drivers early and I sent a warning then which was well before even the September 25 original planned release. Hoping the public release would address the issue, since the drivers were not in wide release. AMD did delay the drivers a week or so, but I think that was because the drivers clobber existing sata arrays
I would also point out this is an obvious configuration problem, not a problem with binaries, a buffer overflow, etc. The issues would be obvious even to script kiddies imho. I didn’t set out to do a security evaluation here… I just installed the drivers and noticed Apache running as system. So I don’t think a normal disclosure process would really apply, but I followed it anyway.
This is very different. It is not meant to be a remote interface, for starters. Things like pfSense are running php as a legitimate website, not as a desktop tool. And things are configured properly. I haven’t looked at this specific php code, but as noted, at least it has a password on it. The apache misconfiguration is probably the more severe risk (and, depending on how the password was handled, may compromise that as well — the bits of php shown in the video were a bit cringy).
Another thing to think about is that XAMPP, while an awful and completely misguided tool, is popular with web devs (and especially so among beginners). The fact that it’s already (maybe unexpectedly) running means it might interfere with other usage — and what would happen if someone tried to install their own copy? or upgrade / uninstall it? Maybe they thought of these problems (though ?? i wouldn’t be surprised), but it just underscores how unsuitable a solution this is for the problem.
This is good to hear. Probably should have stuck it in the video, at the beginning.
Redundant Array of Independant Facepalms!
Sorry, I couldn’t help myself.
Or Redundant Array of Attack Vectors.
Sounds like they just borrowed Hee Sung’s nephew.