Tell HN: Ffmpeg vulnerability allows attacker to get files from server or PC
This is not remote code execution, the vulnerability is limited to reading local files and sending them over network, but that is already bad enough.
For example, a specially crafted «video» file uploaded to your server by an attacker could read your website config/private keys/etc and send that to the attacker once you try to generate a thumbnail for it or just probe it with ffmpeg.
On a PC, you don't even need to open a file to get affected, just downloading it would be enough in some cases — video files are processed with ffmpeg for filemanager thumbnails (i.e. KDE Dolphin), for search indexers, etc.
That vulnerability is public, has code samples to reproduce and build a malicious file, and is not fixed atm.
The recommended quick fix is to rebuild ffmpeg without network support (--disable-network configure flag).
Original post: http://habrahabr.ru/company/mailru/blog/274855/
The original text is in Russian, use https://translate.yandex.com or https://translate.google.com/ to read it.
24 comments
[ 4.7 ms ] story [ 30.2 ms ] threadIt is unclear whether this is ffmpeg-specific, or something the HTTP live streaming protocol actually requires and therefore potentially of wider impact; I can't find any obvious reference to this feature with either a quick Google or a skim of the Apple RFC. Does anyone know?
To post a link, there should just be a title and a link and no comment.
Confusion:
Are you saying that ffmpeg doesn't detect file by extension?
or
Are you saying that ffmpeg won't execute the malicious code if it's found appended to a valid video?