
Ffmpeg vulnerability allows the attacker to get files from your server or PC - ChALkeR
https://translate.google.com/translate?sl=ru&tl=en&u=http%3A%2F%2Fhabrahabr.ru%2Fcompany%2Fmailru%2Fblog%2F274855%2F
======
ChALkeR
Short English description:

ffmpeg vulnerability allows reading local files and sending them over network
using a specially crafted video file. This affects not only file conversion
(including thumbnail generation), but also any other operations that involve
ffmpeg processing your file — for example, ffprobe is affected. This is not
remote code execution, the vulnerability is limited to reading local files and
sending them over network, but that is already bad enough.

For example, a specially crafted «video» file uploaded to your server by an
attacker could read your website config/private keys/etc and send that to the
attacker once you try to generate a thumbnail for it or just probe it with
ffmpeg.

On a PC, you don't even need to open a file to get affected, just downloading
it would be enough in some cases — video files are processed with ffmpeg for
filemanager thumbnails (i.e. KDE Dolphin), for search indexers, etc.

That vulnerability is public, has code samples to reproduce and build a
malicious file, and is not fixed atm.

The recommended quick fix is to rebuild ffmpeg without network support
(--disable-network configure flag).

Original post:
[http://habrahabr.ru/company/mailru/blog/274855/](http://habrahabr.ru/company/mailru/blog/274855/)

The original text is in Russian, use
[https://translate.yandex.com](https://translate.yandex.com) or
[https://translate.google.com/](https://translate.google.com/) to read it.

------
ChALkeR
Previosly posted as
[https://news.ycombinator.com/item?id=10893301](https://news.ycombinator.com/item?id=10893301),
but that eneded up in [ask] due to my mistake.

~~~
ChALkeR
Tell me if I should not have double-posted it here, I will delete one of those
posts then.

------
chatmasta
`brew install ffmpeg` does not appear to default build with network support,
so mac is unlikely affected. Although I'm sure there are many mac apps that
use ffmpeg and may have it compiled with network support.

------
drv
Anyone running FFmpeg[1] on untrusted input without sandboxing of some kind is
being extremely negligent. It's around a million lines of C that does tricky
file format parsing and decoding. There will definitely be bugs in any given
version, and some of those bugs will be exploitable.

[1] Or any related tool (ffprobe, etc.), or any tool that uses the libav*
libraries, or really any non-trivial multimedia processing tool...

