
Tell HN: Ffmpeg vulnerability allows attacker to get files from server or PC - ChALkeR
ffmpeg vulnerability allows reading local files and sending them over network using a specially crafted video file. This affects not only file conversion (including thumbnail generation), but also any other operations that involve ffmpeg processing your file — for example, ffprobe is affected.<p>This is not remote code execution, the vulnerability is limited to reading local files and sending them over network, but that is already bad enough.<p>For example, a specially crafted «video» file uploaded to your server by an attacker could read your website config&#x2F;private keys&#x2F;etc and send that to the attacker once you try to generate a thumbnail for it or just probe it with ffmpeg.<p>On a PC, you don&#x27;t even need to open a file to get affected, just downloading it would be enough in some cases — video files are processed with ffmpeg for filemanager thumbnails (i.e. KDE Dolphin), for search indexers, etc.<p>That vulnerability is public, has code samples to reproduce and build a malicious file, and is not fixed atm.<p>The recommended quick fix is to rebuild ffmpeg without network support (--disable-network configure flag).<p>Original post: http:&#x2F;&#x2F;habrahabr.ru&#x2F;company&#x2F;mailru&#x2F;blog&#x2F;274855&#x2F;<p>The original text is in Russian, use https:&#x2F;&#x2F;translate.yandex.com or https:&#x2F;&#x2F;translate.google.com&#x2F; to read it.
======
tsukikage
The key insight is that you can construct an HTTP live streaming playlist that
causes the player to pull lines from a series of files, concatenate them
together to form a URL then visit that URL, making it possible to exfiltrate
data.

It is unclear whether this is ffmpeg-specific, or something the HTTP live
streaming protocol actually requires and therefore potentially of wider
impact; I can't find any obvious reference to this feature with either a quick
Google or a skim of the Apple RFC. Does anyone know?

------
brudgers
Link:
[http://habrahabr.ru/company/mailru/blog/274855/](http://habrahabr.ru/company/mailru/blog/274855/)

~~~
ChALkeR
[https://translate.google.com/translate?sl=ru&tl=en&u=http%3A...](https://translate.google.com/translate?sl=ru&tl=en&u=http%3A%2F%2Fhabrahabr.ru%2Fcompany%2Fmailru%2Fblog%2F274855%2F)
will work better, I suppose.

------
espes
Heh, this 'feature' was the intended solution of a CTF challenge 3 months ago:
[https://github.com/ctfs/write-
ups-2015/tree/master/9447-ctf-...](https://github.com/ctfs/write-
ups-2015/tree/master/9447-ctf-2015/web/super-turbo-atomic-gif-converter)

------
anonfunction
Can the malicious video file be an actual mp4 file? We're accepting video and
running it through ffmpeg, however we first verify the file is an mp4 using
[https://golang.org/src/net/http/sniff.go](https://golang.org/src/net/http/sniff.go)

~~~
ryanlol
Possibly? Who knows? Parsers are complex and I doubt ffmpeg relies on file
extensions to figure out the format.

~~~
ChALkeR
It does not, that's covered in the original article.

~~~
anonfunction
It does not what? Can you share quotes from the article or the translated
article source you read?

Confusion:

Are you saying that ffmpeg doesn't detect file by extension?

or

Are you saying that ffmpeg won't execute the malicious code if it's found
appended to a valid video?

------
abrezas
Patch on chrome that enabled ffmpeg networking
[https://codereview.chromium.org/1391383002/patch/1/10001](https://codereview.chromium.org/1391383002/patch/1/10001)

------
joeyspn
PC... and also mac? I have ffmpeg installed via homebrew...

~~~
ChALkeR
It's «PC» as in «server»/«PC», not as in «mac»/«PC».

------
ChALkeR
By the way, mplayer is also affected, even after installing a fixed version of
ffmpeg.

~~~
ChALkeR
Looks like it bundles libavformat internally.

------
ChALkeR
Hm. Why did this end up in [ask]? Perhaps I made a mistake when posting this
=).

~~~
brudgers
If there is text in the text box, it goes to "Ask HN" (or "Show HN" when
that's in the title).

To post a link, there should just be a title and a link and no comment.

~~~
ChALkeR
Should I post this again with a link so it ends up in the news or not?

~~~
maaarghk
Ship's sailed I think, this is on frontpage, maybe dang will merge them at
some point.

------
josesilva
Any CVE or answer from upstream about it? Is Firefox as well affected?

------
dzbarsky
This is why you should use containers for running binaries on user-supplied
data.

