Exploiting SSRF in video converters

Background

• dozenz of video formats
• hundreds of video/audio codecs
• diffrent bitrates, resolutions, etc.

FFmpeg

what is FFmpeg

According wikipedia, FFmpeg is a free software project that produces libraries and programs for handling multimedia data. In a short it’s a tool video converter.

How FFmpeg really works

Look closer to ffmpeg:extension

Play video out.mp4:

HTTP Live Streaming( HLS )

• Live and on-demand streaming
• Developed by Apple
• Support in FFmpeg
• Docs: https://developer.apple.com/streaming/

m3u8

A file with the M3U8 file extension is a UTF-8 Encoded Audio Playlist file. They are plain text files that can be used by both audio and video players to describe where media files are located. For more https://www.lifewire.com/m3u8-file-2621956

Make an HTTP request

Result:

Read respone

Convert the same above , with content of file heaer.m3u8 like :

#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:10.0,
http://hydrasky.com/?.txt
#EXT-X-ENLIST

Here we are:

Exploit

Concat

Concat:reads a binary stream of data from multiple sources interprets them as if they are from the same source.

YUV4MPEG2

File header.y4m located on server localhost/header.y4m

video.mp4

Yesss, It’s work !

Conclusion

• Solution: FFmpeg protocol whitelist patch
• With lastest version from > 3.2.2 this vulnerable fixed
• There are 3 attack vectors you can exploit include: thumbnail, dns or mp4 .
• The senario simple is upload file video to server support online video converter if it’s using ffmpeg try to exploit

References

https://www.blackhat.com/docs/us-16/materials/us-16-Ermishkin-Viral-Video-Exploiting-Ssrf-In-Video-Converters.pdf